What Actually Happens During a Ransomware Attack? Here's A Step by Step Look

You've certainly seen ransomware in the news. From enterprises to SMBs, businesses of all sizes and industries are increasingly targeted by both commodity and human-operated ransomware. But what actually happens over the course of an attack, and what sort of operational / legal implications can it have for your business? We'll take a deep dive into different sources of ransomware, attack types, and the best strategies for mitigating fallout. 

Here's What Your Business Should Know About Mitigating a Ransomware Attack, Step by Step:

What Is Ransomware?

Ransomware is a type of cyber attack in which perpetrators exploit a victim's data or critical infrastructure until a monetary demand is met. These attacks can be extremely profitable, encouraging the development of an entire underground ransomware economy, complete with brokers, operators, and affiliates. The access brokers compromise networks to establish initial access and then sell that access to malicious third parties. A ransomware-as-a-service (RaaS) operator designs and maintains the ransomware tools necessary to complete an attack (think malware, messaging, and payment processing). Then, the ransomware affiliate distributes and runs the ransomware payload. These affiliates purchase services from the access broker and/or operator, depending on the nature of the scam. And the businesses they target suffer disruption, reputational damage, financial losses, and potential regulatory fines. 

These days, ransomware tends to fall into two major categories: commodity and human-operated ransomware. They can vary greatly:

  Commodity Human-Operated
Actor "Out-of-the-box" malware deployed by individuals or unsophisticated criminals Sophisticated, hands-on keyboard attacks from highly-skilled criminals
Strategy Rudimentary attacks aimed at a large number of businesses Curated attacks - typically high-profile targets with high potential payout
Target Typically, small and mid-sized businesses Large organizations or government agencies
Method Automated malware, often readily available for purchase; designed to quickly lock endpoints/data Targeted methods that exfiltrate sensitive data or prevent access to critical infrastructure; may take weeks or months


Step #1 - Initial Compromise

It's vital to understand the steps of a ransomware attack so that your business can develop a mitigation strategy that addresses the needs of each step. During the initial compromise phase, the attacker establishes access to your business environment. They may do so by using a phishing attack, exploiting existing vulnerabilities in hard/software, credential theft, pirate software, or brute force. Your business can help mitigate these types of threats via the following strategies:

  • Enforce zero trust user and device validation
  • Utilize threat intelligence to prevent known threats and actors
  • Train employees to recognize phishing attacks on a routine basis
  • Maintain software updates and proactively address vulnerabilities
  • Enforce multi-factor authentication and increase password security

Step #2 - Attack Escalation

During the escalation period, the cyber attacker will strengthen their position within your IT environment. They may escalate their internal privileges, allowing them to move laterally across your network and granting access to sensitive data in your operational, sales, financial, human resources, and marketing departments. During this time, they may also scrape credentials for high-profile members of your organization. Common methods of escalation include exploiting known vulnerabilities, deploying malware, and persistence. At this stage in the attack, it is essential to track user behavior and log potential security events: 

  • Enforce session security for administration portals
  • Continuously monitor resources for abnormal activity
  • Implement automation to isolate any compromised resources
  • Limit account access to sensitive data with privileged access management

It's important to remember that the pre-ransom phase can take weeks or months. During this time, it can be difficult to identify hackers lurking in your network. However, once the attacker reaches the exploitation phase, the ransomware attack can occur in a matter of hours. 


Step #3 - Exfiltration

During this time, the attacker exfiltrates (surreptitiously withdraws) your company data. This is often done to restrict access to critical systems in preparation for the ransom. This may be achieved by deploying malware to local endpoints through defense evasion and widespread encryption of business-critical files. To prevent complications from exfiltration, your business should:

  • Review user permissions to sensitive data
  • Perform regular and thorough data backups
  • Designate protected folders with controlled folder access
  • Reduce broad read/write permissions for business-critical data
  • Move data to the cloud and take advantage of versioning capabilities 

Step #4 - Ransom

At this point, the attack is in full swing. The perpetrator has made contact, shared the terms of their ransom, and acted upon their threat or withdrawals. They may make contact via messaging software and typically request payments in cryptocurrency, making payments impossible to trace. At this point, the best thing to do is utilize your disaster backup and recovery plans - and avoid paying the ransom. Even if a ransom is paid, there is no guarantee that your data will be returned or unencrypted. And paying the ransom only encourages more cybercrime. Reach out to your IT team to ensure a holistic clean-up and removal of persistent threats. Going forward, we recommend the following:

  1. Build a security culture - assume breach and adopt zero trust. Build resiliency with regular training and strong processes that empower people to make the right decisions.

  2. Prepare a recovery plan - remediate damage and remove persistence with solutions that work holistically. Deploy data backup capabilities that let you resume operations as quickly as possible.

  3. Stop ransomware in its tracks - invest in ransomware prevention with comprehensive solutions that work together with your environment to block ransomware before it harms your business.

Repercussions of a Ransomware Data Breach

For a long time, ransomware was predominantly viewed as a security concern. While that is still very much the case, ransomware has increasingly been framed as a privacy concern for impacted businesses. A large percentage of ransomware today will not only encrypt corporate files but will exfiltrate them as well - meaning that huge amounts of sensitive client and employee data are vulnerable. Under increasingly strict state and industry data breach and privacy laws, failure to protect this private information can lead to serious fallout for businesses. 

For example, if a biotech company is hit with a ransomware attack, it may be subject to the reporting requirements outlined by HIPAA. HIPAA defines a data breach as "...the acquisition, access, use, or disclosure of PHI [Protected Health Information] in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI." In the event of a potential security event, that biotech company would have to:

  1. Contain the impact and distribution of ransomware within their systems
  2. Remediate vulnerabilities that allowed the ransomware to enter their network
  3. Restore lost data during the attack and replace any necessary endpoints
  4. Conduct post-incident forensics to determine whether or not they have any regulatory, contractual, or other reporting obligations

Unless the biotech company can demonstrate that their PHI was not compromised, they will have to comply with HIPAA's breach notification provisions, including informing affected individuals, the Secretary of Health and Human Services, and the media (for breaches affecting 500+ people) without delay. This requires a high level of coordination and financial support that the biotech company may not have or be able to carry out in a timely fashion. 

Ransomware is more than isolated incidents at specific organizations - it's an entire industry. And it requires holistic prevention. Tools like automation and machine learning analyze signals that mirror ransomware across your endpoints, clouds, and resources. Solutions such as Microsoft Defender provide unified SIEM and XDR for threat protection across devices, identities, applications, email, data, and cloud workloads. To learn more about ransomware prevention, reach out to iCorps for a free IT consultation


Contact for a Free Consultation