Network Analysis of Attack Flows in Ransomware Groups and Campaigns

Ransomware attacks have become a major threat to organizations worldwide, leveraging both technical vulnerabilities and social engineering to infiltrate target networks. While many security research teams provide extensive information about the tactics, techniques, and procedures (TTPs) used by threat groups and campaigns, there is still limited insight into the actual attack flows and transition patterns between techniques. In this study, we selected 19 MITRE ATT&CK groups and campaigns with confirmed histories of ransomware activity and systematically modeled their attack flows as network graphs. By integrating these into a unified ransomware attack flow network, we performed comprehensive analyses including hub centrality, betweenness centrality, and frequency analysis. Through this analysis, we identified nine recurring patterns within the integrated ransomware attack network. We also found techniques related to discovery and tool transfer exhibited high hub centrality and techniques associated with execution were found to have high betweenness centrality. Based on these findings, we discuss potential practical defensive strategies. This research demonstrates the value of network-based analysis in identifying key vulnerabilities and improving organizational preparedness against evolving ransomware threats.