How Ransomware Attacks Work and How Organizations Defend Against Them

What Is Ransomware?

Ransomware is a category of malicious software (malware) that encrypts a victim's files or locks them out of their systems and then demands a ransom payment — typically in cryptocurrency — in exchange for the decryption key needed to restore access. It represents one of the most disruptive and financially devastating forms of cybercrime, affecting hospitals, government agencies, schools, utilities, and private businesses of all sizes. According to Cybersecurity Ventures, global ransomware damages exceeded $20 billion in 2021 and are projected to reach $265 billion annually by 2031.

Modern ransomware has evolved far beyond the crude early versions that simply locked a screen. Today's ransomware operations are sophisticated criminal enterprises, often operated by organized groups using a Ransomware-as-a-Service (RaaS) model in which a developer creates and maintains the ransomware code and infrastructure, then recruits affiliate attackers who conduct the actual intrusions in exchange for a percentage of the ransom proceeds. Major RaaS groups like LockBit, BlackCat (ALPHV), and Cl0p have demonstrated near-corporate levels of operational sophistication, including customer service portals for victims and negotiation teams.

The Attack Chain: How Ransomware Gets In

Ransomware attacks follow a recognizable sequence of stages. The initial foothold is typically gained through one of several primary vectors. Phishing emails remain the most common entry point — carefully crafted messages that trick recipients into clicking a malicious link or opening an infected attachment that installs a dropper or loader malware. Exploitation of unpatched vulnerabilities in internet-facing systems — VPN appliances, Remote Desktop Protocol (RDP) servers, email gateways, and web applications — is the second most common vector. The 2021 Kaseya attack exploited a zero-day in a widely used IT management software platform to reach thousands of downstream businesses simultaneously.

Credential theft and brute forcing are also major entry vectors, particularly for RDP and VPN services exposed to the internet. Many organizations use weak passwords, reuse credentials across systems, or fail to implement multi-factor authentication, making it trivial for attackers to purchase valid credentials from dark web marketplaces (often stolen in earlier breaches) and simply log in. Supply chain compromise — infecting trusted software or service providers to reach their customers — has emerged as a particularly dangerous vector because it can bypass many perimeter security controls.

Dwell Time and Lateral Movement

After gaining initial access, sophisticated ransomware groups do not immediately deploy encryption. Modern attacks typically involve a substantial dwell time — the period between initial compromise and ransomware deployment — during which attackers operate quietly inside the network. Average dwell time before ransomware deployment has been measured at approximately 10-24 days in recent incident response investigations, though this varies widely.

During dwell time, attackers engage in lateral movement — using the initial foothold to spread to additional systems, elevate privileges, and map the network. Tools commonly used include legitimate administration utilities (LOLBins — living-off-the-land binaries such as PsExec, WMI, and PowerShell) that blend in with normal administrative traffic. Attackers seek to compromise the Active Directory domain, which, once controlled, gives them the ability to push malware to every machine in the organization. They also locate, access, and exfiltrate sensitive data before encryption, enabling double extortion — threatening to publish stolen data if the ransom is not paid, a tactic first popularized by the Maze group in 2019 and now near-universal among sophisticated ransomware actors.

Encryption and Ransom Demand

Once attackers have achieved their objectives — spreading to high-value systems, exfiltrating data, and ensuring persistence — they deploy the ransomware payload, often simultaneously across hundreds or thousands of machines using the domain controller to push the malware via group policy or remote execution tools. Modern ransomware uses hybrid encryption: each file is encrypted with a unique symmetric key (typically AES-256), and those symmetric keys are encrypted with the attacker's RSA public key. Only the attacker's private key can decrypt the session keys, making self-recovery without the decryption key cryptographically infeasible.

After encryption, victims discover ransom notes in each directory, and in some cases receive phone calls or emails from the attackers. Ransom demands have escalated dramatically in recent years: demands of $1 million or more are now common for large enterprises, and demands exceeding $50 million have been documented. Payments are demanded in Bitcoin or Monero (which offers stronger privacy than Bitcoin). Attackers typically establish a negotiation portal on the dark web and may provide test decryption of a small number of files to demonstrate that their decryptor works.

Defensive Strategies: Prevention

No single control can prevent all ransomware attacks, but a layered defense strategy can dramatically reduce risk. The most impactful preventive measures include:

• Multi-factor authentication (MFA): Implementing MFA on all remote access services (VPN, RDP, email) eliminates credential-based attacks even when passwords are compromised.
• Patch management: Rapidly patching critical vulnerabilities in internet-facing systems, particularly those exploited in known attacks, is one of the highest-ROI security activities.
• Email security: Advanced phishing protection, sandboxing of attachments, and anti-spoofing controls (DMARC, DKIM, SPF) reduce the phishing attack surface.
• Network segmentation: Dividing the network so that a compromise in one segment cannot easily spread to others limits lateral movement.
• Privilege minimization: Users and service accounts should have only the minimum permissions needed. Local administrator rights on workstations should be removed for standard users.
• Endpoint detection and response (EDR): Modern EDR solutions detect malicious behaviors (rather than just known malware signatures) and can block or interrupt ransomware execution mid-attack.

Backup and Recovery Strategy

A robust backup strategy is the most important resilience control against ransomware, because it enables recovery without paying a ransom. However, many organizations discover during an incident that their backups were also compromised — attackers routinely target and delete or encrypt backup systems before deploying ransomware. Effective backup strategies follow the 3-2-1 rule: maintain at least three copies of data, on two different media types, with at least one copy kept offline or offsite.

Immutable backups — stored in a location where they cannot be modified or deleted, even by an administrator with full domain credentials — are essential. Cloud-based backup with object lock capabilities or air-gapped tape backups provide the necessary immutability. Organizations should regularly test restoration procedures to confirm that backups can actually be recovered within the recovery time objectives defined in their business continuity plans. Discovering that backups are corrupted or incomplete only at the moment of a ransomware incident is a catastrophic failure mode. Recovery planning should also account for the complexity of restoring Active Directory and other foundational infrastructure before restoring application data.

Incident Response: Should You Pay?

If ransomware is deployed despite preventive measures, the incident response phase begins immediately. Isolating affected systems from the network (without powering them off, to preserve forensic evidence in memory) is the critical first step. Engaging a professional incident response firm and, in the United States, notifying the FBI are strongly recommended — law enforcement has occasionally obtained decryption keys from seized infrastructure and can provide threat intelligence about the specific ransomware variant involved.

The question of whether to pay the ransom has no universal answer. Law enforcement agencies generally recommend against payment, both because it funds criminal enterprises and because payment does not guarantee data recovery — approximately 20% of organizations that pay do not receive working decryptors, and many are targeted again. However, in cases where backups are inadequate and the encrypted data is essential to business survival, payment may be the pragmatic choice. Organizations operating in critical infrastructure or healthcare sectors should be aware that paying ransoms to sanctioned entities (such as those on the U.S. Treasury OFAC list) can result in significant legal liability, making legal counsel essential before any payment decision.