Ransomware Kill Chain
containedAttacker Type
AUTOMATED TOOL
Confidence
87%
Kill Chain
Execution
Events
89
CRS Score
88
Elapsed
3m
EVENT TIMELINE
critical15:10:00
Apache Struts exploitation attempt detected
critical15:10:03
Ransomware binary download initiated
info15:10:08
CIE: Instance network-isolated in 8ms
info15:10:15
Canary tokens detonated across 12 file shares
ATTACK NARRATIVE
Automated ransomware toolkit detected attempting execution on a compromised EC2 instance via exploited Apache Struts vulnerability (CVE-2024-53677). The CIE identified the attack pattern matching BlackCat/ALPHV ransomware within 8ms. Immediate containment measures included network isolation of the affected instance, canary token detonation across adjacent file shares, and deployment of a deceptive encryption target. The ransomware binary was captured and detonated in a sandboxed environment for IOC extraction. All predicted paths to domain controller have been severed.
Affected Assets
ec2-web-prod-03efs-shared-datas3-backups-prod
Agent Layers Involved
infracontainerdata
PREDICTED NEXT MOVES
01Deploy encryption payload via PsExec
02Disable Volume Shadow Copy service
03Enumerate network shares for lateral spread
Pre-Blocked Paths
BLOCKEDDeploy encryption payload via PsExec
BLOCKEDDisable Volume Shadow Copy service
BLOCKEDEnumerate network shares for lateral spread
COUNTER-ACTIONS EXECUTED
Network isolation of ec2-web-prod-03
15:10:08
Canary token detonation on 12 file shares
15:10:15
Sandboxed binary detonation for IOC extraction
15:10:45