How Real Ransomware Attacks Work: A Step-by-Step Breakdown

by

Reading time: ~8 minutes | Difficulty: Beginner–Intermediate

Ransomware attacks cost businesses over $20 billion globally in 2024. But what actually happens during an attack? Understanding the kill chain — every step from initial access to ransom demand — is the first step to defending against it.

This article breaks down a real ransomware intrusion into plain English. No fluff, no vendor marketing. Just how it actually works.

The 7 Stages of a Ransomware Attack

Stage 1: Initial Access — How Attackers Get In

Every ransomware incident starts with an entry point. The most common methods in 2025–2026:

  • Phishing emails — A malicious attachment or link arrives in an employee’s inbox. One click downloads a loader (a small program whose only job is to download the real malware). Example: a fake invoice PDF that actually runs a macro.
  • Exposed RDP (Remote Desktop Protocol) — Many SMBs expose Windows RDP to the internet on port 3389. Attackers scan the entire internet for this port (it takes minutes), then brute-force weak passwords.
  • VPN vulnerabilities — Unpatched VPN appliances (Fortinet, Pulse Secure, Cisco) are gold for ransomware groups. CVE-2024-21762 in FortiOS, for example, was actively exploited in the wild weeks after disclosure.
  • Compromised credentials — Passwords stolen from data breaches (LinkedIn, Dropbox, etc.) are sold on dark web markets and tried against business VPNs and email portals.
🔍 Real Example: In a 2024 incident at a healthcare provider, attackers used a credential stuffing attack against the company’s Citrix gateway using a password that had been leaked in an older breach. The employee had reused their personal Gmail password for work. Initial access took under 15 minutes.

Stage 2: Execution — Running the First Payload

Once inside, the attacker’s initial foothold is usually a small, stealthy piece of malware called a dropper or loader. Common loaders used by ransomware groups include IcedID, Emotet (yes, it’s back), and QakBot. These loaders establish persistence and then download the main attack tools.

Common execution methods:

  • PowerShell commands run directly from the phishing macro
  • Malicious DLLs loaded via legitimate Windows processes (DLL sideloading)
  • WMI (Windows Management Instrumentation) for fileless execution
# Example of a PowerShell loader command found in real incident logs:
# (Indicators redacted - for educational purposes only)
powershell.exe -nop -w hidden -enc [Base64 encoded command]
# The -enc flag encodes the command to evade simple string detection
# -nop = no profile, -w hidden = hidden window

Stage 3: Persistence — Making Sure They Stay

Attackers don’t want to be a one-time visitor. They establish persistence so that even if the machine reboots, they maintain access. Common techniques:

  • Registry Run keys — Adding entries to HKCUSoftwareMicrosoftWindowsCurrentVersionRun makes the malware start on every boot.
  • Scheduled Tasks — A task set to run every 15 minutes or at login.
  • Services — Registering as a Windows service for automatic startup.
  • WMI Event Subscriptions — A more advanced technique that’s harder to detect.

Stage 4: Privilege Escalation — Becoming Administrator

If the initial access was through a regular user account, the attacker now needs admin/domain admin privileges to spread and deploy ransomware across the network. Typical escalation methods:

  • Mimikatz — The legendary credential dumping tool. Extracts plaintext passwords and NTLM hashes from Windows memory (LSASS process).
  • Pass-the-Hash / Pass-the-Ticket — Using stolen Kerberos tickets or NTLM hashes without needing the actual password.
  • Unpatched local privilege escalation vulnerabilities — CVEs in Windows components allow jumping from user to SYSTEM.
  • Token impersonation — Using another user’s security token already active on the machine.
⚠️ Critical Insight: Mimikatz works because Windows, by default, caches credentials in memory. Enabling Windows Defender Credential Guard completely prevents plaintext credential extraction — and it’s free. Yet fewer than 30% of SMBs have it enabled.

Stage 5: Lateral Movement — Spreading Through the Network

With admin credentials, the attacker now moves from machine to machine. Their goal: reach the domain controller, file servers, and backup systems. Common tools:

  • Cobalt Strike — A commercial red team tool widely used (and cracked) by ransomware groups. Provides a beacon that allows remote command execution across the network.
  • PsExec — A legitimate Microsoft Sysinternals tool used to run processes on remote systems. Extensively abused.
  • SMB (Windows file sharing) — Used to spread to connected shares.
  • WMI / WinRM — Remote management protocols used for stealthy movement.

This stage is where the damage becomes catastrophic. An attacker who has lateral movement across your entire network can encrypt everything simultaneously.

Stage 6: Data Exfiltration — The Double Extortion Threat

Modern ransomware groups don’t just encrypt your files — they steal them first. This is called double extortion. If you have backups, they threaten to publish your sensitive data publicly (on “leak sites” on the dark web) unless you pay.

Data typically targeted for theft:

  • Customer PII (names, emails, credit cards, medical records)
  • Financial records and contracts
  • HR and payroll data
  • Intellectual property
  • Email archives

Data is exfiltrated via legitimate tools and services to evade detection: Rclone (syncing to cloud storage), MEGAsync, or even direct SFTP to attacker-controlled servers.

Stage 7: Ransomware Deployment — The Final Blow

After the attacker has stolen everything valuable, they deploy the ransomware simultaneously across all infected systems. A few things happen:

  • Volume Shadow Copy deletion — Windows backup snapshots are deleted first: vssadmin.exe delete shadows /all /quiet
  • Backup software termination — Veeam, Backup Exec, and similar processes are killed
  • File encryption — Files are encrypted with a strong symmetric key, often AES-256
  • Ransom note dropped — A text file with payment instructions is dropped in every folder
  • Desktop wallpaper changed — So the victim immediately knows what happened

What Good Defenses Look Like

Understanding the attack chain tells you exactly where to break it. You don’t need to stop every stage — stopping any single stage prevents the attack from succeeding.

StageDefense
Initial AccessMFA on all remote access, phishing training, patch VPNs within 24h
ExecutionDisable Office macros, enable Attack Surface Reduction rules
PersistenceMonitor registry Run keys and scheduled tasks (Wazuh/Sysmon)
Privilege EscalationEnable Credential Guard, use LAPS for local admin passwords
Lateral MovementNetwork segmentation, disable SMBv1, restrict PsExec
Data ExfiltrationDLP solutions, monitor outbound traffic anomalies
RansomwareOffline backups (3-2-1 rule), EDR with behavioral detection

Key Takeaways

  • Ransomware is a process, not a single event. There are multiple stages where you can intervene.
  • Initial access almost always involves human error (phishing, weak passwords) or unpatched systems.
  • Modern groups steal data before encrypting — so “I have backups” isn’t enough protection anymore.
  • MFA on remote access alone would prevent the majority of ransomware incidents at SMBs.

Next Steps: Read our Ransomware Recovery Playbook for Small Business and our guide on setting up free ransomware detection with Wazuh.

Leave a Comment