How Does a Ransomware Attack Work?

Lewis Fairburn

Head of Marketing

How Does Ransomware Work?

Ransomware works by exploiting vulnerabilities in a computer system's security. Criminals typically use email phishing or other deceptive tactics to install malicious software on the victim's computer. Once the ransomware has infiltrated the system, it will begin to lock down files and encrypt them using advanced cryptography techniques, making them inaccessible. The cybercriminal will then demand payment for a decryption key that will allow the victim to regain access to their files.

Stage 1: Malware distribution and infection

Ransomware attacks typically follow a multi-stage process, starting with the distribution of malware and culminating in the encryption of a victim's files. In the first stage, known as malware distribution and infection, threat actors employ various techniques to deliver malicious software onto a victim's device.

One common attack vector is phishing, where attackers send deceptive email attachments or messages that include malicious files or links. When unsuspecting users interact with these elements, the malware is downloaded and executed on their devices. Another technique is the exploitation of software vulnerabilities. Threat actors identify weaknesses in operating systems or applications, create or acquire malware that can exploit these vulnerabilities, and then deliver the malware through infected websites or by leveraging drive-by downloads.

A different approach involves targeting insecure Remote Desktop Protocol (RDP) connections or abusing stolen credentials. By gaining unauthorised access to a victim's device, attackers can install and execute the ransomware. This method is particularly prevalent in attacks against organisations.

Stage 2: Command and control

In the second stage of a ransomware attack, known as command and control (C2), the malware establishes a communication line with the attacker, enabling a two-way flow of information. This stage is crucial for the attacker to maintain control over the infected system and execute further malicious actions.

Once the ransomware infects a device, it initiates the C2 process by connecting to a remote server controlled by the attacker. This communication allows the attacker to remotely control the malware and issue commands. It also provides an avenue for the ransomware to download additional malware onto the compromised system.

During the command and control stage, the ransomware may remain dormant, lying in wait for further instructions from the attacker. This allows the threat actor to choose the opportune time to initiate the attack and encrypt the victim's files. The attacker may also use this stage to conduct lateral movement within the network, seeking out valuable data and compromising additional devices or backup systems.

Establishing and maintaining command and control is vital for ransomware operators. It gives them the ability to customize the attack, demand ransom payments, and potentially decrypt files upon receiving payment. As security teams work to identify and neutralise ransomware attacks, understanding the command and control stage is crucial for mitigating the impact and preventing further infections.

Stage 3: Discovery and lateral movement

In the discovery and lateral movement stage of a ransomware attack, attackers aim to maximise their impact within the victim's network by spreading the infection and elevating their access privileges.

First, the attackers gather information about the victim's network. This can be done through various methods such as scanning the network for vulnerabilities, analysing public information about the organisation, or even purchasing stolen credentials from the dark web. By understanding the network layout and potential security vulnerabilities, the attackers can identify potential entry points.

Once inside the network, the attackers exploit security vulnerabilities to gain unauthorised access to other devices. They may use techniques like password cracking, exploiting software vulnerabilities, or utilizing brute force attacks. The goal is to move laterally within the network, infecting as many devices as possible and obtaining higher levels of access privileges.

To evade detection and increase their chances of success, attackers deploy various techniques. This may include masquerading as legitimate users or using legitimate tools and processes to cover their tracks. They might also employ techniques like creating backdoors, manipulating security controls, or leveraging weaknesses in the network infrastructure.

Stage 4: Malicious theft and file encryption

In Stage 4 of a ransomware attack, attackers utilise various techniques to carry out malicious theft and file encryption. One of the primary objectives is to exfiltrate sensitive data to the Command and Control (C&C) server for later use or leverage it for ransom demands.

The process starts with the attackers identifying valuable data based on predefined criteria such as file types, sizes, or specific folders. They then establish a connection to the C&C server through various means, such as establishing a direct network connection, using an already compromised system, or employing a remote access tool.

Once connected to the C&C server, the attackers initiate the exfiltration process, transferring the identified data to their infrastructure. This data is often encrypted to evade detection or interception. Common encryption methods used include symmetric or asymmetric encryption algorithms.

Simultaneously, the attackers focus on encrypting the victim's systems and files to render them inaccessible. They may target specific components, such as the master boot record (MBR) or individual files, depending on their objective. By encrypting these critical components, the attackers can inflict maximum damage and increase the likelihood of victims complying with ransom demands.

Stage 5: Extortion

In a ransomware attack, the threat actors aim to extort ransom payments from their victims by encrypting their valuable files and data. This stage of the attack involves the use of encrypted files to demand ransom payments.

Once the victim's files are encrypted with a complex algorithm, the ransomware operators leave behind a ransom note. This note contains instructions on how to make the ransom payment and regain access to the encrypted files. The note often includes details on the ransom amount, the cryptocurrency to be used for payment (usually Bitcoin), and the deadline for payment.

To communicate with the victims, ransomware operators use various methods. This can include email addresses provided in the ransom note or encrypted communication platforms accessible through the Tor network. The threat actors may also establish communication channels with the victims to negotiate the ransom amount or provide further instructions.

Stage 6: Resolution

The resolution stage of a ransomware attack involves addressing the incident and recovering normal operations. This stage is crucial to minimise disruption, regain control over the affected systems, and prevent further damage. Organisations have several options to consider during the resolution stage.

Restoring backups is often the first step in recovering from a ransomware attack. Having regular backups in place ensures that organizations can revert to a clean state of their systems before the attack occurs. By restoring backups, organisations can regain access to important data and applications and resume normal operations.

Implementing a ransomware recovery plan is another vital step. By having a well-defined plan in place, organizations can efficiently respond to ransomware incidents, speed up recovery efforts, and effectively allocate resources. This plan should outline the necessary steps to be taken, such as isolating affected systems, notifying the appropriate authorities, and engaging with cybersecurity experts.

Negotiating with attackers, though not recommended, may be considered as a last resort. Some organisations may choose to engage in negotiations to obtain the decryption key or reduce the ransom payment. However, this option comes with risks, as there is no guarantee that the attackers will uphold their end of the bargain, and it may encourage further attacks.

Types of Ransomware

Ransomware attacks come in various forms, each utilising different techniques to compromise systems and hold critical data hostage. The main types of ransomware attacks include encrypting ransomware, non-encrypting ransomware, leakware/doxware, mobile ransomware, and destructive ransomware. There has been a rise in the creation of new Ransomware variants over the years, which poses challenges for monitoring and defence.

1. Encrypting Ransomware

This type of ransomware encrypts files on the victim's system, rendering them inaccessible until a ransom payment is made. Examples include WannaCry and CryptoLocker. Subcategories within encrypting ransomware include:

2. Non-Encrypting Ransomware:

Unlike encrypting ransomware, this type does not encrypt files but still threatens the victim. It typically displays fake law enforcement notifications or scare messages to extort money. One example is the FBI ransomware.

3. Leakware/Doxware:

This type not only encrypts files but also threatens to leak sensitive information unless the ransom is paid. It targets organisations or individuals with valuable data and aims to exploit their fear of data exposure.

4. Mobile Ransomware:

Specifically designed for mobile devices, this type affects smartphones and tablets. It may lock the device or encrypt files, demanding a ransom payment for the release of data.

5. Destructive Ransomware/Wipers:

Unlike other types, this ransomware does not hold data hostage for a ransom payment. Instead, it aims to wipe or destroy the victim's files or entire system, causing irreversible damage.

Familiarity with these different types of ransomware attacks can assist organisations and individuals in implementing effective security controls and mitigating the risk of falling victim to such cyber threats.

Ransomware Statistics

Ransomware attacks have been on the rise in recent years, becoming one of the most prevalent and damaging cyber threats. According to recent statistics, there has been a significant increase in ransomware attacks globally in 2022 and 2023.

  • In 2022, the number of ransomware attacks saw a staggering 75% increase compared to the previous year, with millions of individuals and organizations falling victim to these malicious attacks. 
  • One of the main techniques used in ransomware attacks is through phishing emails.
  • In 2022, Ransomware Attacks increased by 150% compared to the previous year. 
  • Phishing attacks account for approximately 70% of all ransomware infections. 
  • In 2022, ransom payments reached an astounding $1.24 billion globally, with an average ransom demand of $170,000 per attack.


What is the Aftermath of Ransomware Attacks?

Ransomware attacks can have devastating consequences for businesses, leading to significant financial losses, data loss, reputational damage, and in some cases, even forcing businesses to shut down. The aftermath of a ransomware attack can be chaotic and debilitating.

Financial losses are one of the immediate impacts faced by businesses. Ransom payments demanded by attackers can be exorbitant, draining resources and impacting the bottom line. Additionally, businesses may also incur costs associated with restoring systems, conducting forensic investigations, and implementing enhanced security measures.

Data loss is another critical concern. Ransomware encrypts valuable data, rendering it inaccessible unless a decryption key is obtained. If businesses do not have reliable backups or fail to pay the ransom, they risk losing critical information, potentially leading to operational challenges, compliance issues, and legal implications.

Reputational damage is a long-lasting consequence of ransomware attacks. News of a successful attack can erode customer trust and confidence, impacting future business prospects. Negative publicity and potential lawsuits can further tarnish a business's reputation, making recovery even more difficult.

In severe cases, businesses may be forced to shut down as a result of a ransomware attack. The financial and operational strain, coupled with the loss of customer trust, can become insurmountable, leaving businesses with no viable option but to cease operations.

To mitigate the aftermath of ransomware attacks, businesses must prioritise preparedness. Implementing robust cybersecurity measures, such as regular backups, security software, and employee training on identifying phishing emails and suspicious links, can significantly reduce the risk of becoming a victim of Ransomware.

Here at Pentest People, we offer a wide range of services including Ransomware Defence Assessments, Email Phishing Assessments, Mobile Application Testing and many more to help your organisation combat the threat of a cyber attack, In this case, more specifically Ransomware Attacks. Get in touch with us today.

Video/Audio Transcript