What does a ransomware attack look like?

What is ransomware?

Ransomware is a type of malicious software (malware) that encrypts files on a device and demands payment in order to restore access. It has become an increasingly common cyber threat in recent years. Ransomware typically spreads through phishing emails or by exploiting vulnerabilities. Once installed, it will encrypt files using encryption algorithms and essentially hold the files hostage until the demanded ransom is paid.

How does a ransomware attack unfold?

A ransomware attack typically unfolds in the following stages:

1. Initial compromise

The first stage involves the attacker gaining initial access to a network, usually through phishing emails sent to employees. These emails may contain malicious attachments or links that download the ransomware when opened or clicked on. The ransomware can also be installed through exploit kits that target vulnerabilities in applications.

2. Lateral movement

Once inside the network, the attacker will often attempt to move laterally and gain administrative privileges. This allows them to infect more devices on the network. They may steal credentials or exploit vulnerabilities to do this.

3. Encryption

When ready, the attacker will trigger the installed ransomware to run on compromised devices across the network. The ransomware will encrypt files, folders, drives, or entire servers. Different strains of ransomware use different encryption algorithms, but the end result is the same – the files become inaccessible to the user.

4. Extortion

Once encryption is complete, the ransomware displays a ransom note demanding payment, usually in cryptocurrency like Bitcoin. The note threatens permanent data loss if payment is not made within a short timeframe. The ransom amount can range from a few hundred to millions of dollars.

5. Recovery

If payment is made, attackers may provide a decryption key to restore data. However, there is no guarantee they will comply. The best recovery option is to restore encrypted files from backups, if available. Otherwise, decryption is very difficult without the attacker’s key.

What systems and data are impacted?

Ransomware can target and encrypt:

– Personal documents, photos, videos on desktops and laptops
– Shared folders and drives on servers
– System files on individual computers which causes them to crash
– Databases, virtual machines, and cloud storage if connected to the infected network

Essentially anything connected to an infected system that contains files could potentially be encrypted during a ransomware attack.

What are the signs of a ransomware attack?

On a single computer

Signs that a specific computer may be impacted by ransomware include:

– Being unable to access files and data
– Files having unfamiliar or encrypted extensions
– A ransom note left as text or html on the desktop
– Strange processes or services running in the Windows Task Manager
– System crashes or boot up failures

On a network

Signs that a wider network is under attack by ransomware include:

– Multiple users reporting file access issues
– Shared files and folders becoming inaccessible
– Server operations like printing slowing or failing
– Ransom notes appearing on multiple computers
– Antivirus software being disabled
– Strange network traffic patterns to unknown locations

What does the ransom note look like?

The ransom note is the message displayed after encryption which details the ransom demands. It is usually left as a text or html file in an obvious location like:

– Desktop
– Shared network folder
– Login/splash screen

Ransom notes often:

– Inform victims their files are encrypted and inaccessible
– Provide a timeframe before which payment must be made
– Threaten permanent deletion of data if payment isn’t received
– Provide instructions for payment in cryptocurrency

Examples include bitcoin wallet address, ransom amount, and steps for making payment. Ransom notes may also try to intimidate victims by displaying high ransom figures.

What are ransomware’s impacts on an organization?

Ransomware can severely impact an organization’s operations including:

Business disruption

– Employees unable to access documents, email, servers needed for daily business activities
– Operations grind to a halt as systems become unavailable
– Loss of productivity and revenue as focus shifts to dealing with attack

Reputation damage

– Cyber attacks reflect poorly on security posture
– Shareholders, customers lose confidence in breached organization
– Public knowledge of attack attracts further malicious activity

Financial costs

– Direct ransom demands which may range from hundreds to millions of dollars
– IT and incident response costs to investigate, remediate, and bolster security after attack
– Revenue losses from business disruption during downtime
– Legal, PR, and regulatory compliance costs

Data Loss

– Encrypted files permanently lost if decryption key not obtained
– Backups deleted or encrypted may make restoration difficult
– Business critical data and IP stolen during attack

What steps do attackers take to increase ransom likelihood?

Attackers use various tactics to pressure victims into paying ransom demands:

Short payment deadlines

Ransom notes often threaten permanent data loss if payment isn’t made within 24-48 hours. This creates urgency to pay the ransom to recover files.

Incremental deadlines

If the initial deadline isn’t met, attackers may extend it in exchange for a higher ransom amount. This further pressures victims.

Stolen data threats

Attackers may threaten to publicly release sensitive data exfiltrated during the attack if the ransom isn’t paid.

Intimidating ransom demands

Large ransom totals intimidate victims into thinking paying is cheaper than rebuilding systems. However, paying encourages more attacks.

Scare tactics

Ransom notes emphasize consequences like legal liability, financial costs, and permanent data loss if ransom isn’t paid.


Demands for untraceable cryptocurrency payments coupled with anonymous communication make attackers hard to identify.

What are the different types of ransomware?

There are several major families and strains of ransomware, classified by their behavior:

Encrypting ransomware

The most common type that encrypts files and makes them inaccessible until decryption key is provided after paying ransom. Examples:

– WannaCry
– CryptoLocker
– CryptoWall

Locker ransomware

This ransomware locks users out of the operating system or computer itself until the ransom is paid. Examples:

– REvil
– MegaCortex


Threatens to publish sensitive data stolen during the attack unless ransom is paid. Examples:

– CL0P
– DoppelPaymer


Ransomware-as-a-Service enables affiliates to easily distribute ransomware. Examples:

– Ryuk
– Sodinokibi

Mobile ransomware

Designed to lock access or encrypt data on mobile phones and tablets. Examples:

– Android Defender
– Koler

What are the most common ransomware delivery methods?

Phishing emails

Malicious email attachments or links to load and execute ransomware code. Common formats include Office docs, PDFs, scripts like JS.

Software vulnerabilities

Exploiting known weaknesses in operating systems, applications, services to install and run ransomware.

Remote desktop access

Brute forcing RDP access or stealing admin credentials provides backend entry point to deliver ransomware manually across a network.

Drive-by downloads

Browsing to websites compromised with exploit kits that target browser or plugin vulnerabilities to install ransomware.

Removable media

Infected USB drives, external hard disks, CDs/DVDs used to manually transfer ransomware onto computers offline.

What are the most common ransomware targets?

Microsoft Office

Office documents like Word, Excel commonly used to distribute macros and scripts carrying ransomware.

Out-of-date software

Vulnerable, unsupported operating systems and software more easily exploited to deliver ransomware.

Healthcare organizations

Ransomware cripples critical systems and patient records availability. Attacks can be life threatening.

State and local government

High value target with growing ransomware attacks impacting services, data availability.

Educational institutions

Wealth of sensitive data combined with cybersecurity weaknesses make schools ransomware targets.

Cloud environments

Syncing with infected on-prem systems can propagate ransomware to cloud-based files and VMs.

What are the most devastating ransomware strains?

Ransomware Strain Year Impact
WannaCry 2017 Over 200,000 computers across 150+ countries encrypted. Disrupted critical infrastructure like healthcare, logistics, telecoms.
NotPetya 2017 Caused over $10 billion in global damages. Quickly spread through large multinational companies.
Ryuk 2018 Targeted enterprises and earned over $150 million in ransom. Known for high ransom demands.
Sodinokibi 2019 RaaS model amplifies attack reach. Leaked data when ransom not paid. Earned $123 million+.
Conti 2020 RaaS ransomware heavily used to attack healthcare, government, and education.

What steps help defend against ransomware?

User education

Training users on phishing and social engineering helps avoid email-based attacks.

Email security

Tools like spam filtering and antivirus help stop phishing emails and malicious attachments from reaching users.

Vulnerability management

Patching known weaknesses used by ransomware to exploit systems reduces attack surface.

Segmented networks

Prevents lateral ransomware spread between systems if initial compromise occurs.

Offline backups

Critical for restoring encrypted data without paying ransom. Test regularly.

Ransomware detection

EDR software can detect ransomware behavior to alert and respond to limit damage.

Incident response plan

Having a plan for investigation, containment, communication minimizes business disruption.

How can encrypted data be recovered without paying ransom?

From backups

Restoring data from offline, uninfected backups disconnected from network.

Using decryption tools

Free decryption tools exist for some ransomware strains if encryption is basic.

Decryption keys

Keys publicly released years later once attackers abandon older ransomware.

Brute forcing

Trying every decryption key possible via computing power. Only works for weak encryption.

Exploiting flaws

Errors in ransomware code or encryption implementation may enable decrypting some files.

Forensic analysis

Examining ransomware code on infected systems provides insights into decryption methods.

Paying ransom

Obtaining decryption tools by paying is risky. Encourages more attacks.


Ransomware is a continuously evolving cyber threat capable of crippling organizations and causing long term damage extending beyond just the ransom payment itself. By better understanding how ransomware attacks unfold, the potential impact, and specific defense strategies organizations can hope to reduce their risk. Having incident response and business continuity plans in place remains crucial however to effectively manage ransomware attacks. With advanced prevention, detection, and recovery mechanisms the devastating effects of ransomware can be minimized.