How does a Ransomware attack work?

Cyberattacks against companies are multiplying year after year, increasingly affecting businesses of all sizes and sectors. One of the most dangerous cyberattacks launched against these companies is ransomware.

A ransomware attack is a cyber threat in which an attacker uses malware to encrypt the files or data of a system or network, demanding a ransom in exchange for the decryption key.

Next, we will look at the steps involved in a ransomware cyberattack infecting a company's system or IT infrastructure

Steps to launch a ransomware attack

1. Infection vector 

Before deploying the malware, the cybercriminal must gain access to the systems of the company they want to attack. This access can be achieved through various methods.

• Phishing attacks. Phishing attacks are one of the most commonly used methods by cybercriminals to gain unauthorized access to a company's systems. These attacks involve sending fraudulent emails pretending to be a legitimate company or person, asking the recipient to take actions that could execute malware within the company, such as clicking on a malicious link, downloading an infected file, sharing passwords, or disclosing banking details, etc.

• Brute force attacks. Another way to fraudulently obtain access credentials to a system is through brute force attacks. Cybercriminals try thousands of possible combinations until they find the correct password that grants them access to the company's systems they want to target.
  
  
• Exploit kits. In this case, cybercriminals access systems through known vulnerabilities in the company's software or operating system. This is why it is essential to update the software of the devices used to prevent this type of cyberattack.

2. Execution of the payload

Once the malware has entered the system, a payload is activated to initiate the attack. A payload is the part of a malicious program or attack that executes the harmful action or the main objective of the attack. The steps include:

• Evasion of detection: The ransomware may disable antivirus tools or employ obfuscation techniques (such as packers or encryption of the code itself).
  
  
• Persistence: Entries are created in the system registry or services to ensure that the ransomware survives system reboots.

3. Enumeración y lateralización

Before encrypting the company's data, the ransomware scans the system and/or network to identify the data that is relevant to encrypt. The malware also proceeds to gather stored credentials and access keys from the attacked systems.

Finally, the malware spreads laterally to other systems on the network using SMB (Server Message Block) protocols.

4. Encryption and data exfiltration

One of the main features of a ransomware attack is that, once the cybercriminal has deployed the malware across the system or network, the users who typically access that information can no longer do so.

In modern attacks, in addition to encrypting the data, attackers carry out double extortion:

• They exfiltrate confidential information before encrypting the files.
• They threaten to publish the stolen data if the ransom they demand is not paid.

5. Ransom note and communication

Once the malware has taken effect and prevented access to the data by users of the infected system or network, a ransom note appears with instructions for the victim, including:

• Ransom amount.
  
  
• Cryptocurrency wallet address (in most cases).

According to the "State of Ransomware 2024" report by Sophos, nearly 60% of the companies surveyed paid the ransom, with an average ransom sum of $3,960,917 USD, more than double the average amount in 2023.

Ransomware attacks represent one of the most damaging threats to companies, causing severe financial and reputational harm.