Skip to content
Skyline IT Management - 2501 Dupont, Edmond, OK 73034 405-594-9282 Mo-Fr 8am - 5pm
Anatomy of a Ransomware Attack

Anatomy of a Ransomware Attack

Ransomware (a combination of the words ransom and malware) is a category of malware that often results in complete downtime. Companies who have been targeted can only regain access after paying a ransom, usually set within a specific timeframe, or completely cleaning their systems of the infection and restoring all data from a recent backup. 

Ransomware attacks are not new; they have existed since the 1980s when payment was sent via postal mail. Cybercriminals nowadays usually expect to be paid in cryptocurrency or with a non-traceable credit card.

One of the most noticeable differences between malware and ransomware is that the moment ransomware completes its task, it alerts the user to its presence. This is because it has already taken the victim’s machine and files hostage. Ransomware executables contain all of the logic needed to take over a computer by itself; hence, it is said that ransomware is highly automated.

To make matters worse, ransomware targets corporations and small businesses alike. Which has an impact on both IT security and business operations. Ransomware encrypts company data, making it unusable, which in many cases will bring a company’s operations to a screeching halt. Employees can’t access things like client records, accounting files, cloud-stored files, and more. 

How Ransomware Affects Businesses

Below are some ways by which ransomware affects businesses:

Prolonged Downtime

According to Statista, the median downtime attributed to ransomware attacks increased from 15 days in 2020 to 22 days in 2021. Downtime in this context refers to any instance in which an organization experienced less than 100 percent productivity or a significant business interruption.

Consider the average recovery rate for a moment. It amounts to more than three weeks of downtime! So, what’s the deal with ransomware recovery taking so long?

Organizations affected by ransomware face two equal but opposite challenges: users must gain access to their data, and IT must investigate the potential cause(s) of an attack. Customers, partners, and employees rely on key organizational resources to perform their job responsibilities which can divert the IT team’s attention away from greater recovery efforts.

Furthermore, many organizations perform their recoveries manually, adding to the disjointed and painful process of recovering valuable data.

Exposed Sensitive Data

Secondly, nearly 80% of ransomware attacks in the first half of 2021 involved the threat of leaking exfiltrated data. Cyber-attackers use data exfiltration to entice companies to pay a ransom by threatening to release stolen sensitive data if the requested ransom is not made. It can be destabilizing to find out your sensitive info can be released within hours if you do not comply with the payment directives.  

The Economic Impact of Ransom Payments

In recent years, many firms sought cyber-insurance protection to reduce ransomware payments, only to discover that their median excess insurance prices jumped by over 100 percent compared to 2020.

Insurance cannot be used as a remedy, especially as insurers reevaluate risk and correct policy benchmarks in response to the upsurge in ransomware attacks. A recent study discovered that insurers have reduced coverage; they have closely examined security controls and studied how businesses protect work-from-home environments. This shows how disturbing it can be for companies and the average entrepreneur to suffer a ransomware attack. 

Suffering downtime due to ransomware can be a nightmare, and mean:

  • Having to bill manually because computers are down
  • Searching through paper records to try to find the information you need
  • Inability to service clients
  • Unable to track billing time
  • Can’t produce customer products on time
  • Losing to competitors who are able to fill orders 
  • Feeling helpless as a business owner because some hacker on the other side of the world brought your business to a standstill

Phases of Ransomware Attacks

A ransomware attack has six stages: campaign, infection, staging, scanning, encrypt, and payment. Knowing these stages allows you to identify, detect, and respond appropriately to a threat.


This is the name given to the approach that an attacker will take when attempting to exploit an environment. Campaigns can feature a variety of methods, including known remote exploits on web servers, weaponizing websites, and the most popular, sending malicious emails.

The most common vector for ransomware attacks is weaponized emails. They try to dupe the reader into downloading the malware embedded in the mail and starting what they hope will be a corporate hostile takeover. From spamming organizations en-masse to operating targeted phishing attacks via email, there is no end to the methods employed by these hackers.


Malicious code has been deployed at this point. Although the data may have escaped decryption, ransomware would have spread throughout the system.


Staging occurs when ransomware embeds itself in a system through subtle changes that allow it to persist. The ransomware has also started communicating with the command and control (C2) server.


Now that the ransomware has established itself and is prepared to persist in the face of shutdowns or reboots, it is ready to encrypt files. To accomplish this, the Ransomware scans both the local and network-accessible systems for a predefined list of file types. The ransomware scans and maps the locations of those files, both locally and on network-accessible systems. Many ransomware also exploit cloud file storage systems like Drive, Box, and others.

The scanning phase gives security analysts the first chance to break the Ransomware Kill Chain. As scanning synced cloud folders and local machines take seconds, mapping out an extensive corporate network, investigating the results of the scan, checking for read and write permissions, and so on can take minutes to hours depending on the amount of information to be assessed.


After the malware has finished analyzing and inventorying required files, it begins encryption, starting with local files, which are encrypted almost immediately. The malware then begins encrypting shared network files. Data from the network is copied to local drives, encrypted, and then uploaded back to the cloud to replace original documents.


The attacker has now spread the ransom note throughout the compromised areas of the environment. The ransom note includes the payment demand and information. Meanwhile, the attacker sits idle, waiting for their illicit gains in exchange for the decryption key.

Looking For Quality Ransomware Protection Solutions? 

Business IT security requires a layered and managed approach. We deploy best-practice solutions so that our clients are properly positioned against today’s threats. Get our free Small Business IT Checklist to make sure you are doing everything you should be to keep your business technology running smoothly and securely.