How Ransomware Works: Attack Stages, Famous Cases, and Prevention

What Is Ransomware?

Ransomware is malicious software that encrypts a victim's files, making them inaccessible, and demands payment — typically cryptocurrency — in exchange for the decryption key. Modern ransomware has evolved from opportunistic attacks on individuals to sophisticated criminal enterprises conducting targeted attacks on hospitals, governments, critical infrastructure, and corporations, often demanding millions of dollars.

Ransomware caused an estimated $20 billion in damages globally in 2021. The Colonial Pipeline attack (2021) disrupted fuel supplies across the U.S. East Coast. The WannaCry attack (2017) crippled the UK's National Health Service, affecting patient care across 80 hospitals.

How a Ransomware Attack Unfolds

Stage 1: Initial Access

Ransomware operators gain entry through several common vectors:

• Phishing emails: Malicious attachments or links deliver the initial payload
• Exploiting vulnerabilities: Unpatched systems, particularly exposed RDP (Remote Desktop Protocol) and VPN vulnerabilities
• Compromised credentials: Stolen passwords purchased on the dark web or obtained via credential stuffing
• Supply chain attacks: Compromising a trusted software vendor whose update delivers ransomware to thousands of customers

Stage 2: Reconnaissance and Lateral Movement

Modern sophisticated ransomware doesn't encrypt immediately. Attackers spend days to weeks inside the network: mapping the environment, identifying backups and security tools, escalating privileges, and spreading to as many systems as possible to maximize damage. They specifically seek to compromise or disable backup systems — so victims cannot simply restore without paying.

Stage 3: Data Exfiltration (Double Extortion)

Modern ransomware gangs exfiltrate sensitive data before encrypting. This enables "double extortion": pay to decrypt, AND pay to prevent public release of the stolen data. Even organizations that restore from backups face the threat of data exposure. Some gangs have added "triple extortion" — contacting the victim's customers directly.

Stage 4: Encryption and Ransom Note

When ready, the ransomware deploys simultaneously across all compromised systems, encrypting files using strong asymmetric cryptography (typically a hybrid RSA + AES scheme). The decryption key is held by the attacker. A ransom note appears explaining the situation and providing payment instructions — often including a deadline with escalating demands.

Ransomware-as-a-Service (RaaS)

The ransomware industry has professionalized into a criminal ecosystem. RaaS platforms allow criminal affiliates (who conduct attacks) to license ransomware from developers in exchange for a percentage of ransom proceeds (typically 20–30%). This separation enables specialization: coders develop sophisticated ransomware; affiliates handle intrusion and deployment. Groups like LockBit, BlackCat (ALPHV), and Cl0p operated as RaaS platforms.

Famous Ransomware Attacks

• WannaCry (2017): Exploited the NSA's EternalBlue exploit (targeting an unpatched Windows SMB vulnerability) to spread automatically across networks. Hit 200,000+ systems in 150 countries within days. NHS alone suffered £92 million in damages. Stopped by a security researcher who found and activated a kill switch.
• Colonial Pipeline (2021): DarkSide ransomware group attacked Colonial Pipeline, which carries 45% of fuel for the U.S. East Coast. Pipeline was shut down for 6 days. Company paid $4.4 million ransom (most later recovered by the DOJ). Caused gas shortages across the Southeast.
• Change Healthcare (2024): ALPHV/BlackCat attack on UnitedHealth Group's Change Healthcare subsidiary disrupted medical claims processing across the U.S. healthcare system for months. UnitedHealth paid a $22 million ransom — and the data was reportedly still released.

To Pay or Not to Pay?

The FBI recommends against paying ransoms — payment incentivizes future attacks, and there is no guarantee of decryption. However, many organizations pay anyway: the decryption key is the fastest path to recovery when systems are critical (hospitals, infrastructure). Average ransom paid: $812,000 in 2022. Some ransomware groups have provided decryption keys reliably; others have taken payment and disappeared.

Prevention

• Offline, immutable backups: The most important defense — backups that ransomware cannot reach or encrypt
• Patch management: Rapidly patch known vulnerabilities, especially for internet-facing systems
• MFA on all remote access: Particularly RDP and VPN
• Network segmentation: Limit lateral movement if an attacker gains initial access
• EDR (Endpoint Detection and Response): Modern endpoint security that can detect and stop ransomware behavior patterns
• Employee training: Recognizing phishing — the most common initial access vector
• Incident response planning: Know what to do before an attack happens, including law enforcement contacts