How ransomware attacks work

Defending against a ransomware attack is only possible if you know how the attackers work. The good news is that they tend to follow the same methods time and time again. You can massively increase your chances of staying safe if you mitigate against these threats. Here’s how a ransomware attack typically works.

How does a ransomware attack start?

The most likely way that ransomware attackers will begin their campaign against your organisation is by sending an email. This will almost certainly be one of the following:

  • A request for your log in details, either:
    • in the email itself (phishing) or
    • on a webpage that you reach by clicking a link in the email (phishing)
  • A link to something that sounds useful but is actually harmful software that:
    • you need to run manually (social engineering) or
    • will run itself automatically (exploit)
  • An email that claims falsely you have been successfully attacked and demands a ransom (social engineering)

Vectors of a ransomware attack

You might receive an SMS message to your mobile phone containing phishing or other social engineering links, as above. Attackers used automated phone calls to achieve the same goals.

These attacks might require that you visit links using your main computer so the attackers can gain remote access.

Some attackers infect websites with pop-up messages that direct visitors to download malicious software. More advanced attackers, with no sense of urgency, can set up websites that they believe you will find useful and allow you to find them independently. These ‘waterhole’ attacks use automatic exploits against specific targets, and don’t infect everyone.

Finally, there is the insider attack, where a contractor or member of staff installs remote access or ransomware software directly onto a network.

Find how how to make your network one of the most secure in the world.

Next steps

Attackers that target organisations need to gain access to many systems on the network, not just the computer owned by the initial victim. This is why we refer to ransomware as a payload.

The attacker might gain initial access, run some reconnaissance to find out what types of systems are available and then move through the network, seeking out the best targets. The classic stages of a hack apply just as much to ransomware attacks as anything else.

These usually involve finding out about a target, getting a foothold onto the network and then digging in deeper to find the best data to damage or steal. You can summarise it simply like this:

  1. Initial reconnaissance (open-source research, scanning the outer network)
  2. Initial contact (email, web query, SMS)
  3. Exploitation (technical or social engineering)
  4. Internal reconnaissance (scanning the inner network)
  5. Achieve main goals (persistence, damage, data theft)

Release the Ransomware!

Once the attackers have control of the target systems, they will deploy the ransomware software that encrypts files and possibly leaves information about how to pay the ransom. They might also steal copies of the data first, to further extort the organisation with threats of leaking.

Statistics suggest that ransomware attackers will return to previous victims, particularly if they receive a ransom payment.

It’s highly likely that they will attempt to set up a persistent presence on the network, hiding on systems unaffected by the ransomware. This allows them to run another attack in the future without having to worry about the initial attack stages.

And by avoiding affected systems they reduce the risk of being ‘cleaned’ out of the network.

Simon is founder and CEO of SE Labs. SE Labs aims to improve information technology security by assessing products and services designed to detect attacks, protect against intrusions or both. Sign up to its monthly newsletter and listen to its award-winning podcast, DE:CODED.

Related articles:

Simon Edwards
Simon Edwards

Simon is the founder of SE Labs and a Board member of the Anti-Malware Testing Standards Organization (AMTSO). He has penned multiple articles on cybersecurity and frequently contributes to our security section.