How Ransomware Works: The Five Objectives Every Attack Follows
Understanding how ransomware works isn’t just academic curiosity – it’s the foundation for defending your organization against one of the most destructive cyber threats we face today. After analyzing countless ransomware incidents for our new book “Learning Ransomware Response and Recovery,” my co-author Dr. Mike Saylor and I have identified five core objectives that drive nearly every successful ransomware attack.
This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/how-ransomware-works-five-objectives-every-attack.
Sure, some campaigns deviate based on how specific ransomware variants are designed. Some attacks have particular goals that require unique approaches. But in general, ransomware operators follow a remarkably consistent playbook. Let’s walk through each objective and what it means for your defenses.
Objective 1: Gaining Initial Access – How Ransomware Works Its Way In
The first step in how ransomware works is getting through your front door. Attackers have three primary methods for gaining that initial foothold: phishing emails, purchasing credentials from initial access brokers (IABs), or exploiting vulnerabilities in your public-facing systems.
Email remains the cheapest and statistically most reliable attack vector. Users click on malicious links or open infected attachments, and boom – the attackers are in. It’s not sexy, it’s not particularly sophisticated, but it works. That’s why they keep doing it.
But here’s where it gets interesting: the rise of initial access brokers has fundamentally changed how ransomware works. These are criminals who specialize in harvesting credentials and selling them to ransomware operators. They’re not running the ransomware themselves – they’re just handling the access piece. It’s specialization in the cybercrime economy.
Think about it from the attacker’s perspective. Maybe they send a bunch of phishing emails and nobody clicks. Now they need a Plan B, so they go buy some credentials from an IAB. Or maybe they bought credentials first, but none of them work, so now they fall back to email campaigns. They’re flexible, adaptive, and persistent.
The third option is scanning for vulnerabilities. Attackers assess your environment looking for exploitable weaknesses in your public-facing systems. Find one, exploit it, and they’ve got access without needing anyone to click anything or purchasing any credentials.
How Ransomware Works After Initial Access: Lateral Movement and Reconnaissance
Once attackers are inside your network, they don’t immediately start encrypting everything. That would be inefficient and might get them caught before they maximize their impact. Instead, they move laterally through your environment, mapping it out and identifying your most valuable assets.
This reconnaissance phase is critical to how ransomware works effectively. Attackers are looking for several things: Where’s your production data? Where are your backups? Where are your domain controllers? What’s your network topology? Who has the highest privileges?
They need to understand your environment to deploy their ransomware for maximum impact and maximum payout. If they encrypt the wrong systems or miss your critical data, they’re leaving money on the table. And make no mistake – this is a business for them.
The lateral movement phase is also when they’re elevating privileges, creating persistent access mechanisms, and generally setting themselves up for success. They might be in your network for days or weeks before you even know they’re there.
Objective 3: Establishing Command and Control
The third objective in how ransomware works is establishing communications with command and control (C2) servers. The attackers need to phone home. They need to tell their operators what they’ve found, receive instructions on how to proceed, and coordinate their activities across your network.
This is a vulnerable point for attackers. C2 communications can be detected if you’re monitoring your network traffic properly. Unusual outbound connections, especially to known malicious IP addresses or suspicious domains, can be indicators that something’s wrong.
But attackers have gotten sophisticated about hiding their C2 traffic. They might use legitimate cloud services, encrypted channels, or domain generation algorithms to make detection harder. Still, this is one area where good network monitoring can potentially catch an attack in progress.
How Ransomware Works in the Era of Double Extortion: Data Exfiltration
Here’s where how ransomware works has evolved significantly in recent years. It’s no longer enough to just encrypt your data and demand payment for the decryption key. Why? Because organizations got better at backups and recovery. If you can restore from backups, why would you pay?
Enter double extortion. Before encrypting your data, attackers now exfiltrate it – they copy it to their own systems. Now they’ve got two points of leverage: “Pay us to decrypt your data, and also pay us not to publish your sensitive information online.”
Even if you have perfect backups and can restore everything, you still have a data breach. You still have regulatory compliance issues. You still have customer trust issues. You still might have to pay.
This fundamental shift in how ransomware works means that backups alone are no longer sufficient protection. You need to prevent the attack from succeeding in the first place, because once they’ve exfiltrated your data, that cat’s out of the bag.
The Encryption Phase: How Ransomware Works to Lock Your Data
The fifth objective is the actual encryption of your data. This is what most people think of when they think about how ransomware works, but as we’ve seen, it’s actually the last step in a carefully orchestrated attack.
Encryption is resource-intensive. It’s math, and math takes processing power and memory. If you’re paying attention to your computer, you might notice warning signs: the mouse hesitates, typing lags, applications slow down, network performance degrades. These can all be indicators that something’s chewing up system resources in the background.
Modern ransomware is remarkably sophisticated. It doesn’t just look at file extensions to decide what to encrypt. Some variants examine file headers to determine what type of file they’re dealing with. You can’t fool them by renaming your spreadsheet as a DLL file and hiding it in your Windows directory. They’ll scan the file header, see it’s actually a spreadsheet, and encrypt it anyway.
Interestingly, ransomware specifically avoids encrypting operating system files. Why? Because they want your system to remain functional. They want you to be able to boot up, see your encrypted files, and find the ransom note. If they encrypt everything and crash your system, you can’t pay them. It’s bad for business.
There was even a ransomware variant a few years back that didn’t look in the trash can. The response strategy? Delete everything you care about, move it to the trash, and it would be safe from that particular ransomware. Not a comprehensive defense strategy, but it worked for that specific threat.
The Final Step: Delivering the Ransom Note
The last piece of how ransomware works is delivering the ransom note itself. Back in the day, attackers would take over your desktop background or display a full-screen banner. It was flashy, attention-grabbing, and kind of newbie-ish.
Today’s ransomware operators are more subtle. They drop a text file in every folder where they encrypted something. You’ll find “README.txt” or “RANSOMWARE_NOTE.txt” on your desktop, in your documents folder, in every directory that contains encrypted files. The message is clear, but the delivery is less theatrical.
The note tells you what happened, how to contact the attackers, and what they want you to pay. Some ransomware groups even provide customer support to help victims figure out how to acquire and transfer cryptocurrency. They’ve professionalized the entire operation.
What This Means for Your Defense Strategy
Understanding how ransomware works through these five objectives gives you a framework for building better defenses. You need controls at each stage:
Initial Access: Security awareness training, email filtering, vulnerability management, multi-factor authentication, and credential monitoring.
Lateral Movement: Network segmentation, privilege management, endpoint detection and response (EDR), and monitoring for unusual authentication patterns.
Command and Control: Network traffic analysis, DNS filtering, threat intelligence feeds, and blocking known malicious infrastructure.
Data Exfiltration: Data loss prevention (DLP) tools, monitoring for unusual outbound traffic patterns, and encrypting sensitive data at rest.
Encryption: Behavioral analysis to detect mass file modifications, immutable backups that can’t be encrypted or deleted, and tested recovery procedures.
No single control will stop a determined attacker. But by understanding how ransomware works and implementing layered defenses at each objective, you make it much harder for attackers to succeed. You increase their costs, slow them down, and create opportunities for detection and response before they achieve their goals.
This is just the beginning of what we’re covering in our book and this podcast series. We’re going to do literally a hundred episodes digging into different aspects of ransomware response and recovery. Stay tuned.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data