The Anatomy of a Ransomwa ...
12 October 21

The Anatomy of a Ransomware Attack

Posted byINE

With organizations falling victim to cyber attacks each day, it’s more important than ever to have a well-trained team to secure the information you can’t afford to lose. By staying aware and up to date of what happens at each stage of a ransomware attack, as well as the corresponding remediation tactics, you can better prepare your business and your team.

Stage 1: Campaign

The attacker has determined what method they will use to exploit their target. The largest attacks have come as a result of password reuse, poorly configured services, and supply chain failure. Other common methods include remote exploitation of web servers or the creation of credential-stealing websites.


While the human element of cyber attacks can’t be completely avoided, it can be mitigated. Organization-wide training educates employees on username and password best practices as well as how to identify potentially malicious emails and what to do if they receive them. In addition, you can implement tools designed to remove links from emails while also scanning and removing attachments.

Stage 2: Infection

Once a user's credentials have been stolen and access has been obtained within other areas of an organization, the infection stage begins. During this stage, the ransomware code has been executed but encryption hasn’t taken place.


The best response at this stage involves a SOC Team and EDR solution, such as network monitoring or network security monitoring. This helps identify the delivery of malware or command and control (C2) communication. Multi-factor authentication, source IP confirmation, and trusted devices in combination can also limit the effectiveness of stolen credentials.

Stage 3: Staging

During staging, the ransomware is embedded in your system and connected with the C2 server, allowing hackers to make changes to your system to ensure access is maintained in the event of an interruption. This phase of the attack also allows crypto keys to pass and encode your organization’s most valuable information.


Implementing the use of proxy servers and application-layer firewalls can limit the effectiveness of communication to the C2 server, as requests are compared to heuristic models. If it looks like malicious C2 and sounds like malicious C2, it gets blocked and alerts go off preventing further damage to your organization.

Stage 4: Scanning

With the C2 server connection made, the malware scans your device and locates files to encrypt. After scanning, the malware will move to your file shares and cloud data. Depending on the number of files available, the scanning stage could take minutes or hours. While this may seem time consuming, the scanning phase is critical in the attack process as each file is being reviewed for the permission level it has to the compromised user or machine.


Scanning can be mitigated with properly configured Active Directory and secure cloud communication. If this happens to you and you can identify the scanning phase, the best way to prevent further damage is by isolating all trusts from the networks and locking all user accounts.

Stage 5: Encrypting

Encryption begins once your data has been scanned and inventoried. Your local files are encrypted first and then your network files are copied, encrypted, and uploaded in place of the original file which has now been deleted. Key operating system files are encrypted at the end of the process to avoid accidentally crashing the system and alarming the potential victim.


While there are few techniques to protect against encryption, or prevent and recover from it, keeping backups can minimize the damage suffered from having files encrypted. It’s vital for organizations to isolate backups and require access separate from admin and standard user accounts. Having multiple backups in separate locations adds further protection.

Stage 6: Pay Day

By now, your attacker has taken complete hold of your files and your business critical information is in their hands. In many instances, attackers resort to double and triple extortion tactics, where they threaten to publicly leak your organization’s data. Sometimes, they even go as far as sending demands to your customers or third party groups that would be harmed by having information leaked.


You should immediately begin working with the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency to reclaim access to your data. This is also a great time to research cyber security insurance if you haven’t already.

Ransomware attacks can be quick, complex, and devastating. As cyber criminals continue to take advantage of unprepared and unprotected organizations, it’s more important than ever to ensure your team is equipped with the tools needed to secure your data.

INE is proud to offer team-wide and enterprise-wide training to give you those tools as well as peace of mind. From Cyber Security Awareness training and hands-on exercises to advanced team analytics, we have the resources you need to upskill or reskill teams to protect your business.

Need training for your entire team?

Schedule a Demo

Hey! Don’t miss anything - subscribe to our newsletter!

© 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo