How Ransomware Encrypts Systems and Extorts Organizations
Ransomware encrypts files and demands payment to restore access. Learn how ransomware works technically, from initial infection to double extortion.
$1.1 Billion in Ransoms Paid in a Single Year
In 2023, ransomware payments exceeded $1.1 billion for the first time, according to blockchain analytics firm Chainalysis. That figure represents only confirmed on-chain payments — the actual economic damage, including downtime, recovery costs, and reputational harm, multiplies the figure severalfold. The average ransomware attack costs a victim organization $4.54 million when total impact is measured, even when no ransom is paid.
Ransomware is not a monolithic threat. It is an ecosystem of criminal infrastructure, affiliate networks, and technical tooling that has grown into a multi-billion-dollar criminal industry over the past decade. Understanding how it works technically is essential to building credible defenses.
The Technical Encryption Mechanism
Modern ransomware uses a hybrid encryption scheme that combines symmetric and asymmetric cryptography. Symmetric encryption, typically AES-256, is fast enough to encrypt thousands of files per second. Asymmetric encryption, typically RSA-2048 or 4096, protects the symmetric key.
The process works as follows. When ransomware executes, it generates a unique AES session key locally on the victim's machine. It encrypts all targeted files using this session key. Then it encrypts the session key itself using the attacker's RSA public key, which is embedded in the malware or downloaded from a command-and-control server. The encrypted session key is stored alongside the encrypted files. The attacker holds the RSA private key needed to decrypt the session key — and therefore the files.
- File targeting: Ransomware typically targets high-value extensions — .docx, .xlsx, .pdf, .sql, .bak — while skipping system files to keep the OS bootable for the ransom note
- Shadow copy deletion: Most ransomware immediately runs
vssadmin delete shadows /allor PowerShell equivalents to destroy Windows Volume Shadow Copies, preventing easy file restoration - Backup targeting: Modern strains actively enumerate and encrypt or delete network-attached storage, cloud-synced folders, and backup software repositories
- Speed optimization: Some ransomware variants use partial encryption — encrypting only the first 512KB of large files — to maximize coverage before detection
The Ransomware Kill Chain
A ransomware attack follows a predictable progression. Understanding each phase reveals where defenders have opportunities to interrupt the chain.
| Phase | Attacker Activity | Typical Timeframe |
|---|---|---|
| Initial access | Phishing email, exposed RDP, VPN credential abuse | Day 0 |
| Persistence | Scheduled tasks, registry run keys, service installation | Hours to days |
| Lateral movement | Credential dumping (Mimikatz), pass-the-hash, RDP pivoting | Days to weeks |
| Data exfiltration | Upload sensitive data to attacker infrastructure for double extortion | Days before encryption |
| Deployment | Ransomware payload pushed to all compromised hosts simultaneously | Minutes |
| Extortion | Ransom note displayed, payment demand issued, threat of data leak | Immediate post-encryption |
The dwell time before encryption is significant. Mandiant's M-Trends 2024 report found median attacker dwell time before ransomware deployment was 10 days. Attackers spend this period understanding the environment, disabling security tools, and exfiltrating data to maximize leverage.
Ransomware-as-a-Service and the Affiliate Model
The ransomware landscape is dominated by Ransomware-as-a-Service (RaaS). Criminal developers build and maintain the encryption software, payment infrastructure, and victim negotiation portals. Affiliates pay to access these tools and conduct attacks independently, typically splitting ransoms 70/30 or 80/20 in favor of the affiliate.
This model industrialized ransomware. Groups like LockBit, ALPHV/BlackCat, and Cl0p operated full criminal enterprises with customer support teams, bug bounty programs, and public-facing leak sites. LockBit at its peak had over 194 affiliate operators and claimed responsibility for more attacks than any other group in 2023.
- Double extortion: Encrypting files AND threatening to publish stolen data on a public leak site — pioneered by Maze in 2019, now industry standard
- Triple extortion: Adding DDoS attacks against the victim's public infrastructure to pressure payment
- Negotiation portals: Victims receive a .onion Tor address with a live chat interface for negotiating payment terms and receiving decryption tools
- Cryptocurrency laundering: Ransoms paid in Bitcoin or Monero are laundered through mixers, chain-hopping, and privacy coins before cashing out
Notable Ransomware Incidents and Impact
| Incident | Year | Impact | Ransom Demanded |
|---|---|---|---|
| WannaCry (NSA EternalBlue) | 2017 | 200,000+ systems in 150 countries; NHS disruption | $300 per system |
| Colonial Pipeline (DarkSide) | 2021 | US East Coast fuel supply disruption for 6 days | $4.4 million (paid) |
| Kaseya VSA (REvil) | 2021 | ~1,500 downstream businesses via MSP supply chain | $70 million |
| MGM Resorts (Scattered Spider) | 2023 | Casino operations disrupted for 10 days | Not disclosed (~$100M loss) |
Recovery and Defense Strategy
Paying the ransom is not a recovery strategy. The FBI and CISA strongly discourage payments because they fund further attacks and provide no guarantee of complete decryption. In practice, organizations that pay often recover only partial data, and 80% of those who pay face a second ransomware attack within a year.
Effective defense centers on the 3-2-1-1-0 backup rule: three copies of data, two different media types, one offsite, one offline or immutable (air-gapped), and zero backup errors verified through regular restore testing. Immutable backups stored in write-once object storage represent the most reliable recovery path.
On the prevention side, disabling RDP exposure, enforcing MFA on all remote access, patching internet-facing systems within 24–48 hours of critical advisories, and segmenting networks to prevent lateral movement remain the highest-impact controls. Endpoint detection and response (EDR) tools that recognize ransomware behavioral patterns — rapid file renaming, shadow copy deletion, high disk write activity — can terminate execution before encryption completes.
Ransomware's effectiveness ultimately hinges on the gap between attacker speed and defender response time. Modern attacks encrypt environments in under four minutes. Detection and response must operate faster.
Related Articles
cybersecurity
Endpoint Detection and Response (EDR): How Modern Threat Defense Works
An encyclopedic guide to Endpoint Detection and Response covering real-time monitoring, behavioral analysis, threat hunting, and how EDR platforms differ from traditional antivirus solutions.
10 min read
cybersecurity
How Antivirus Software Works: Detection Methods and Protection
Understand how antivirus software works, including signature-based detection, heuristic analysis, behavioral monitoring, and real-time protection mechanisms.
8 min read
cybersecurity
How Blockchain Consensus Mechanisms Validate Transactions
Blockchain networks use Proof of Work, Proof of Stake, and other consensus mechanisms to validate transactions without central authority. Compare their tradeoffs and energy costs.
9 min read
cybersecurity
How Cloud Security Misconfigurations Happen and How to Prevent Them
Misconfiguration is the leading cause of cloud data breaches. Learn how S3 buckets get exposed, IAM policies fail, and what the Shared Responsibility Model means for your security.
9 min read