Exclusive Webinar: Your NDR is not doing enough! Find out what you need to supercharge it!
Get a Demo

Understanding and Preventing Ransomware Attacks: A Comprehensive Guide

  • Sarika Sharma

Recent years have seen a considerable increase in ransomware attacks. It has had an impact on infrastructure, individuals, and enterprises of all sizes. According to a Cybersecurity Ventures estimate, attacks will occur every two seconds and cost the global economy over $265 billion by 2031. The impact is bad, from money loss to data leaks and harm to reputation.

What Is Ransomware Attack?

A ransomware attack is a type of cybercrime where malicious software encrypts files/folders and locks victims out of their system. In return, they’d ask for ransom for decryption key.

Ransomware can spread through phishing emails, outdated software, or downloaded files from unreliable sources. It not only interrupts operations but also puts data at risk, especially with double extortion tactics.

What is Ransomware Attack Defined

In 2024, the average ransom demand rose to $1.5 million. This clearly shows attackers are becoming more daring. Companies not agreeing to pay the ransom often suffer serious repercussions like operational and reputational damage, and in some cases the cost of fixing the damage might exceed the ransom amount itself.

Step-by-Step Breakdown of a Ransomware Attack

Ransomware attacks are deliberate activities designed to exploit vulnerabilities in networks and systems. The victim’s systems are greatly impacted as each phase of the attack builds upon the one before it. Let’s have a look at the specific steps involved:

How Ransomware attack works - Infographic

1. Initial Entry: Exploiting Entry Points

The attack starts by getting into the target’s network or system. This part uses different methods, such as:

  • Phishing Emails: The most common way attackers get in. They send emails that look real, often pretending to be from trusted sources. These emails have malicious links or files.
  • Exploiting Vulnerabilities: Criminals look for outdated software. They target vulnerable spots in operating systems or popular applications like Microsoft Office or web servers. The 2017 WannaCry ransomware used the EternalBlue exploit, a flaw in unpatched Windows systems.
  • Drive-By Downloads: Malicious code is embedded on compromised websites. When you visit these sites, ransomware downloads without you knowing. This works well in favor of cybercriminals if you lack adequate browser or endpoint security protections.

2. Establishing Persistence: Securing a Foothold

Once inside, ransomware needs to stay hidden and avoid detection. This includes:

  • Manipulating System Processes: The malware pretends to be legitimate system files or processes. For example, Ryuk ransomware stops antivirus software by changing security processes.
  • Evading Detection: Sophisticated ransomware uses methods like hiding its code and encrypting data to stay unnoticed by antivirus programs and intrusion detection systems (IDS).
  • Creating Backdoors: Attackers create hidden backdoors to ensure re-entry, even if the initial ransomware is found and removed.

3. Lateral Movement: Spreading Across the Network

Once the ransomware gets a foothold, it spreads across the entire network.

  • Infecting Shared Drives: It targets shared folders and network drives, encrypting data on multiple systems.
  • Gaining Privilege Access: Attackers often try to get administrative privileges to access important files and systems.
  • Attacking Cloud Storage: Many companies use cloud services for backups and daily operations. If attackers get access to the servers, they encrypt that data as well.
  • Spreading to IoT Devices: If it’s a sophisticated attack, the ransomware might target peripheral devices like printers, security cameras, or other IoT equipment.

4. Data Encryption: Locking Files with Advanced Techniques

The main feature of ransomware attacks is the encryption of data. Key methods include:

  • Encryption Algorithms: Most ransomware uses robust encryption methods like Advanced Encryption Standard or Rivest-Shamir-Adleman.
  • Choosing Targets: Important files, such as financial records, intellectual property, or operational documents, are usually the first to be encrypted. Some ransomware even checks how important the files are before locking them.
  • Ransom Note: The victims receive a demand for payment, often through a text file or a pop-up window. The note usually includes instructions on how to pay, deadlines, and warnings about data being destroyed or shared publicly.

5. Exfiltration and Blackmail: Double Extortion

Recent ransomware attacks often use a method called double extortion, which is a big change from older ways:

  • Data Exfiltration: Before encrypting the files, attackers take sensitive data from the victim’s computer. This helps them make their demands stronger.
  • Blackmail Threats: If the victims don’t pay, attackers threaten to put the sensitive data online or sell it on the dark web. The Maze ransomware group was well-known for sharing data from victims who didn’t pay.

This method puts more pressure on victims and can cause bigger problems, possibly involving regulatory authorities if sensitive customer data is revealed.

6. Ransom Negotiation: The Final Step

At the end, attackers start collecting the ransom:

  • Cryptocurrency Payments: They ask for Bitcoin or other digital money to stay anonymous. A report by Chainalysis said that in 2022, people paid over $456 million in ransom using these digital currencies.
  • Unpredictable Results: Paying the ransom doesn’t ensure the description keys. Also, paying ransoms can lead to more attacks, making the problem worse.

Real-World Example of an Attack Flow

Let’s look at the Ryuk ransomware attack on a Florida city in 2019:

  • The attack started with a phishing email that had a malicious attachment.
  • Ryuk got into the city’s computer systems, disabled the antivirus software, and spread across the network.
  • Important city services, like payroll and utility bill systems, were encrypted.
  • The attackers asked for 42 Bitcoin (about $600,000) and got paid, but fixing the damage was slow and not fully successful.
Inside the Ryuk Ransomware Attack: Expert Insights

In this video, Fidelis Security experts uncover:

  • The attack flow
  • Tactics used by attackers
  • Lessons for prevention
Watch the Case Study Video

Knowing how these attacks happen step by step is important for creating strong defenses and responding effectively.

Types of Ransomwares

Ransomware comes in different types, each with unique features and methods. Knowing these types is important for creating good ways to stop and deal with them.

1. Encrypting Ransomware

This ransomware is the most common and destructive one. It attacks the files and encrypts them with strong algorithms making them unusable.

How It Works: It looks for specific types of files like docs, pictures, and databases, then encrypts them with methods like RSA or AES. Once files are encrypted, a message pops up demanding ransom in return for the decryption key.

Examples: Ryuk, LockBit, and Conti

2. Locker Ransomware

Unlike encrypting ransomware, locker ransomware instead of encrypting, completely locks users out of their systems, making the operating system or important applications inaccessible.

How It Works: Locker ransomware shows a lock screen or message that stops the user from using their system. The attackers usually ask for payment in exchange for the code to unlock the system.

Example: WinLocker

3. Double Extortion Ransomware

This kind of ransomware uses both encryption and stealing data. Even if people restore their systems from backups, the attackers still have power by threatening to share sensitive data.

How It Works: Attackers take sensitive files and then encrypt them.

People are forced to pay the ransom to stop attackers from sharing or selling the stolen data on the dark web.

Example: Maze Ransomware

4. Ransomware-as-a-Service (RaaS)

Using this model, attackers without technical skills can also attack people. In this cybercriminal offer easy-to-use ransomware kits, and others carry out the attacks in return for a part of the money made.

How It Works: RaaS creators make and manage ransomware, selling it to others through underground markets.

Those who buy it get clear instructions, tools, and help to launch the attacks.

Examples: Sodinokibi (REvil) and DarkSide

5. Mobile Ransomware

As mobile devices become more common, ransomware has also extended to smartphones. This type of attack either locks the phone or encrypts the data on it.

How It Happens: Mobile ransomware usually spreads through malicious apps from untrusted app stores or fake links.

After being installed, it either locks the phone or encrypts the files, then asks for money to unlock or restore them.

Example: Congur

6. Disk-Wiping Ransomware

Disk-wiping ransomware doesn’t try to get money, instead, it wipes important data, usually for political or personal reasons.

How It Works: The attackers use the ransomware to delete MBR or remove key files, making the computer unusable.

Example: NotPetya

Real-Life Case Studies

Real-world ransomware attacks show potential harm that these threats can do to enterprises. These examples demonstrate the increasing sophistication of ransomware and the pressing necessity of strong security measures.

1. Ryuk Ransomware Attack on a Newspaper Publisher (2019)

In 2019, a big newspaper company in the U.S. was hit hard by a ransomware attack called Ryuk.

What Happened:

The attackers got in by tricking employees with phishing emails. After getting inside, Ryuk locked up the publisher’s critical systems, like those managing content, print operations, and distribution.

Ruyk Ransomware

Impact:

  • Newspapers delivery got delayed and production was halted. The organization’s operations were disrupted.
  • It cost more than $1 million to fix things, including paying the ransom (in bitcoins) and dealing with reputational damage.

2. WannaCry Outbreak (2017)

The WannaCry outbreak showed how fast ransomware can spread around the world.

What Happened: 

WannaCry exploited a vulnerability in Microsoft Windows (EternalBlue) that was first identified by the NSA and then made public by the hacker group Shadow Brokers. 

In a matter of hours, the ransomware spread autonomously, infecting over 200,000 devices across 150 nations.

WannaCry Ransomware Graphic

Impact:

  • In the UK, the National Health Service (NHS) had many of its systems shut down.
  • Important surgeries were postponed, patient records couldn’t be accessed, and people’s lives were at risk.
  • The total damage worldwide was estimated to be $4 billion, affecting healthcare, manufacturing, and logistics industries.

3. Colonial Pipeline Attack (2021)

The ransomware attack on Colonial Pipeline showed how cyberattacks can affect important parts of a country and people’s daily lives.

Colonial Pipeline Attack
(Source)

What Happened:

The attack was executed using DarkSide, and it targeted the systems of the biggest fuel pipeline in the U.S.

The attackers got into the network and encrypted important data, which made the pipeline stop working for several days.

Impact:

  • The pipeline being shut down caused fuel shortages, especially in the southeastern states. This led to people panic buying and prices spiked.
  • Colonial Pipeline paid $4.4 million in Bitcoin to get their systems back, but it was widely criticized.
  • The U.S. government started looking into what happened, and the FBI recovered part of ransom later.

4. Kaseya Supply Chain Attack (2021)

The REvil ransomware group showed how dangerous supply chain attacks can be when they targeted Kaseya, a company that makes software for managing IT systems.

What Happened:

REvil found a vulnerability in Kaseya’s Virtual System Administrator (VSA) software, which let them spread ransomware to thousands of businesses that used Kaseya’s software.

More than 1,500 businesses around the world, from small companies to big corporations, were affected.

kaseya ransomware Graphic

Impact:

  • REvil asked for a $70 million ransom, which is one of the biggest ransom demands ever.
  • Many businesses had to halt their operations for a long time, and the problem spread to industries like retail and healthcare.
  • Kaseya worked with cybersecurity experts to fix the problem without giving in to the ransom demand.

By studying these real-life cases, companies can better prepare for the changing ransomware environment and improve their protection measures.

Detecting Ransomware

Ransomware usually works quietly until it activates, so early detection is important to reduce damage. To spot possible ransomware activity, you need to be alert and use advanced monitoring tools. Here are some important signs to look out for and steps to take.

1. Unusual Network Traffic

Sudden increases in sending data out, especially to unfamiliar or questionable IP addresses, could suggest someone is stealing data or getting ready to encrypt it.

2. System Anomalies

Files being renamed with strange extensions (like .locked or .ryuk), suddenly disappearing, or becoming hard to access without a clear reason are clear signs of encryption.

3. Unauthorized Access Attempts

Unusual activities such as multiple unsuccessful login attempts, privilege escalations, or the addition of new admin accounts.

4. Unfamiliar Processes

Unrecognized programs or scripts running in the background. Look for processes using too much system power or exhibiting erratic behavior.

5. Ransom Notes or Alerts

Sudden appearance of ransom requests through pop-ups, text files, or startup screens.

Stop Ransomware in Its Tracks

This solution brief shows you how to:

  • Detect ransomware early
  • Map and secure cyber terrain
  • Strengthen defenses
Download the Solution Brief

Proactive Detection with Fidelis Elevate®

Fidelis Elevate® enhances ransomware detection with:

  • Behavioral Analytics: Recognizes unusual actions such as privilege escalations or unusual encryption patterns.
  • Automated Responses: Isolates the affected systems to stop the spread to other parts of the network.
  • Real-Time Threat Intelligence: Monitor emerging ransomware types and immediately notify the team.

Advanced tools such as Fidelis Elevate® help organizations stop ransomware threats before they can spread, keeping important systems and data safe.

Impact of Ransomware

Ransomware attacks cause serious problems that affect financial security, business operations, and its reputation. The damage can take many years to fix, and some companies may never fully recover.

CategoryDetailsExamples/Stats
Financial Losses
  • High costs from ransom payments, system recovery, downtime, and lost business opportunities.
  • Additional expenses like reputation damage and customer loss increase financial harm.
  • Average recovery cost: $4.54M in 2023 (IBM).
  • JBS paid $11M in Bitcoin to resolve an attack.
Operational Disruption
  • Interrupts critical services, halting operations in healthcare, transportation, education, and more.
  • Leads to cascading effects across industries and society.
  • WannaCry: Shut down UK’s NHS, delaying surgeries and treatments.
  • Colonial Pipeline: Disrupted fuel distribution, causing shortages and financial fallout in the U.S.
Reputational Damage
  • Breached customer trust damages long-term client relationships and brand image.
  • Double extortion ransomware leaks sensitive data, worsening trust issues.
Kaseya attack: Perceived vulnerabilities hurt the company’s IT sector standing.
Legal and Compliance Issues
  • Non-compliance with GDPR, CCPA, and similar regulations results in hefty fines.
  • Victims of breaches may sue, increasing financial and legal liabilities.
GDPR fines: Up to €20M or 4% of annual turnover.

Conclusion

Ransomware is still a persistent and evolving threat that can impact both individuals and organizations. Businesses must adopt a proactive approach by implementing robust cybersecurity measures and encouraging a culture of awareness.

Fidelis Elevate® is an essential ally in the fight against ransomware attacks because of its sophisticated threat detection and automated response capabilities. Businesses can protect their data, reputation, and financial health from the damaging effects of ransomware by employing prevention measures.

About Author

Picture of Sarika Sharma
Sarika Sharma

Sarika, a cybersecurity enthusiast, contributes insightful articles to Fidelis Security, guiding readers through the complexities of digital security with clarity and passion. Beyond her writing, she actively engages in the cybersecurity community, staying informed about emerging trends and technologies to empower individuals and organizations in safeguarding their digital assets.

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo