Additional Writing Credit: Evan McLean - Microsoft Certified Security Administrator for JIG Technologies

6 Phases of a Ransomware Attack

Illustration of a closed combination lock

Phase 1: Exploitation and Infection


The first step is to infect a victim’s computer with malware. This can be achieved by either:

  1. Forcing or tricking the victim to download an infected attachment through email (most common).
  2. A drive-by-download which refers to the distribution of software or malicious code without the user’s knowledge. This can be achieved through an advertising popup or other active portion of a web page. Clicking or even attempting to close a window can be interpreted as consent to download.
  3. An exploit kit which may start as a website that has been compromised. The site will covertly redirect traffic to another landing page that will profile the victim’s device for vulnerable browser-based applications.
  4. Exploiting weaknesses in RDP connections

Phase 2: Delivery and Exploitation

Once the malware has installed itself on the victim’s computer it will begin downloading a hidden executable (or .exe) file. When it is done delivering its malicious payload it will notify the cybercriminal

The criminal’s server (often referred to as ‘Command and Control’ – C2) is usually located in the dark web and works across anonymous networks.

The malware can also lay dormant for days or weeks and then spread itself out across networks and systems in an organization.

Illustration of a spy

Phase 3: Privilege Escalation and Keys

Illustration of a key

Once the cybercriminal is inside the victim’s computer, they start to execute several privilege techniques to gain access to files. In the case of an organization, they will also start scanning the computer to discover corporate networks, or active directory domains.

They mask their activity as an already running process (PID) and then try to give themselves file ownership or increase their security within the folders. Once they have higher privileges such as write or modify they can then start replacing the files with encrypted versions.

They use the network drives and look for backups then piggy back onto those backups and encrypt them. Cold storage solutions are the only way to defeat these kind of attacks.

To ensure the cybercriminal’s stability in the machine, they will often implement ‘backdoor’ options by installing remote desktop software or using compromised credentials.

C2 creates two cryptographic keys. One key is kept on the victim’s computer and the other is stored on C2.

Phase 4: Encryption

Before this stage, things are still reversible if detected on time. However, by this phase, the cybercriminal is in complete control.

The ransomware begins encrypting files. It uploads the newly encrypted files and deletes the originals.

Different ransomware uses different encryption methods which can include anything from encrypting the master boot record (MBR) of a file system or encrypting individual files or entire virtual machines. Common file extensions such as Microsoft Office documents to .jpg and more are all targeted.

Backups may be deleted or encrypted to prevent, or delay recovery.

Illustration of a page dissolving into pixels to indicate encryption

Phase 5: Extortion

Illustration of a bomb with a lit fuse

At this point the victim/s will receive a lock screen detailing the situation, the fact that their files are all encrypted and information explaining how to pay to get their files back.

Of course, the cybercriminal requests a certain sum of money to be paid in bitcoin. The typical fee for individuals is between $300USD and $500USD

Corporation may pay in the hundreds of thousands, to the millions.

There is often a time limit associated with the payment window in order to motivate the victim to pay quickly and not search out alternative resolutions.

Phase 6: Payday

At this point, most victims and organization decide to pay since the cost of recovery or partial recovery may exceed the ransom request.

In some cases, with major infrastructure organizations, each minute ticking away can cost thousands of dollars, and possibly affect the safety of hundreds of people (as in the cases where hospitals were targeted). With this in mind, payouts are the most likely resolution.

Illustration of a safe