Armorblox is now part of Cisco

Articles & Thought Leadership | 9 min read

How Does a Ransomware Attack Work?


Lauryn Cash
Lauryn Cash

How does a ransomware attack work? Discover five components of a ransomware attack and a tool to assess your organization’s maturity for ransomware response.

How does ransomware work? Protect yourself by understanding the five steps of a ransomware attack.

You’ve probably heard about ransomware and the precarious position many businesses find themselves in after an attack. Ransomware attacks rose 150% during 2020 in response to security lapses exposed by sudden COVID-19 remote work arrangements. But rather than exploiting weaknesses in computer code, nearly 85% of data breaches involved defrauding humans. So how does ransomware work?

In a nutshell, hackers use ransomware (a type of malware) to take control of a computer, encrypting its contents and holding it hostage until a ransom is paid to restore access to it via a decryption key. Today we’ll take a deep dive into the five steps of a ransomware attack:

  1. Infection
  2. Security Key Exchange
  3. Encryption
  4. Extortion
  5. Recovery

Step 1: Infection

Hackers must gain access to your computer or data before they can launch a ransomware attack. Common infection methods include:


Phishing (and more specifically, spear phishing) techniques are often used to plant ransomware into a victim’s computer system. Hackers include ransomware links in email attachments that copy themselves onto other attack vectors in a computer network. In addition, hackers have honed phishing techniques, using social engineering to trick people into downloading malicious links.

Online Chats

Discord, the VoIP and instant messaging platform designed for gamers, has become notorious for spreading malware and ransomware of a different kind. Disguised as gaming-related cheats and tools, the ransomware blocks data without ransom or the opportunity to get decryption keys.

Telegram has also been identified as being a channel for a remote access Trojan, or RAT. The RAT can lock up user files or even hijack the camera and mic on a PC.

USB Drives

USB drives can spread ransomware even if you get them from a trusted source. For example, Spora, a ransomware variant, can spread through zip files on USB thumb drives. Once a user opens the zipped file, it encrypts the user’s data and holds it for ransom.

Security Holes

Security holes created by unpatched software create easy ransomware vulnerabilities. Regular patch management is crucial to preventing ransomware attacks, as hackers are well versed in software vulnerabilities that updates can fix. In addition, when software is out of date, hackers can exfiltrate critical data without even harvesting credentials, making ransomware home runs.

Step 2: Security Key Exchange

Attaining a security key allows access to online systems, data, applications, and other devices. Unlike a physical key, a security key is a mathematical sequence that only the attacker knows. Once a target is infected, the attackers — or the ransomware software tools they’re using — are alerted, and security keys are exchanged.

When creating ransomware, the attacker generates a public key and embeds it in the ransomware. Once the ransomware gains access to a system, it encrypts the files using a symmetric key, generated randomly. The public key then encrypts the symmetric key.

The attacker can use the public key to decrypt the symmetric key and then decrypt the files.

The security key exchange is required to get to the next step: encryption.

Step 3: Encryption

During a ransomware attack, critical data is identified and then encrypted. Encryption disables or locks the victim’s data so that it cannot be accessed without that decryption key.

Data encryptions are often accompanied by “official” sounding language originating from phony government agencies, adding legitimacy to the threat. Unfortunately, these types of threats often dissuade people from reporting ransomware threats to actual governing authorities like the FBI, distorting statistics on ransomware occurrences.

Step 4: Extortion

Once the encryption process is complete, the hacker demands a ransom. Ransom is most often requested in bitcoin in exchange for decryption keys, as cryptocurrency is difficult to trace and easily accessed.

Ransom notes usually include threatening language to hasten victims to make ransom payments swiftly. Costs range from hundreds to thousands and even tens of thousands of dollars, depending on the victim.

Entities with the most sensitive data (like medical facilities and law firms) often pay ransom demands quickly. Gaining access to their files and keeping information about the infiltration away from the public is paramount in retaining consumer trust and business reputation.

While some attacks merely hold encrypted data hostage, “double extortion” tactics have also become commonplace. Double extortion involves exfiltrating the data before encryption and threatening to expose it to the public (known as leakware or doxware) or sell it on the dark web, adding pressure to comply.

You should always assume that all sensitive data on a ransomed machine is compromised. This could include payment information, usernames and passwords, social security numbers, and other PII.

Step 5: Recovery

Should you pay the ransom to get decryption keys? It depends. Many believe that paying ransom to cybercriminals only encourages more cybercrime. Plus, there's no guarantee you'll get the promised decryption key in return (you are dealing with criminals, after all).

Here are a few tips for getting your data back:

  • Look for keys online. Decryption keys for some ransomware strains have been found and posted for anyone to use — for free.
  • If you decide to pay, negotiate first. Believe it or not, ransomware victims rarely pay the full ransom amount. Try negotiating first.
  • Ask to have one of your files decrypted first. As previously mentioned, you may not get your data back no matter what. Ask for proof of decryption before paying.
  • File a complaint with the FBI’s Internet Crime Complaint Center (IC3). They can explain options that will help you decide how to proceed.

Many high-profile businesses with sensitive information choose to pay rather than expose their data and admit their systems aren’t secure. Companies can also be fined for losing sensitive data. The bottom line is that every situation is different and should be treated on a case-by-case basis.

Read Preventing Ransomware: What Your Business Needs to Know

While anyone can be victimized by ransomware, there are a few groups that may be especially susceptible to a ransomware attack:

  • SMBs: Surprised? You shouldn’t be. Small to mid-sized organizations often lack the resources to defend themselves against cyberattacks of all kinds.
  • Companies with sensitive data: Healthcare, legal, and government entities often pay ransoms fast, making them favored ransomware targets.
  • Western-based businesses: The United States, UK, and Canada are targeted for ransomware attacks, often based on their data dependencies and deep pockets.

Is your company at risk of a ransomware attack?

Taking preventative measures to prevent a ransomware attack in the first place is always the best course of action. But how do you know where you stand in your preparedness response?

Read more about how to create a Ransomware Incident Response Plan, including the 7 steps that each plan should have. These steps will help assess the preparedness of your organization and plan an appropriate ransomware response, setting the right people, processes, and technologies in place for when (not if) an attack happens.

See Armorblox in Action

Experience the Armorblox Difference

Get a Demo