Anatomy of a Ransomware Attack

By Stephan Schenk

Estimated Reading Time: 6 minutes


Ransomware have been around for a few years now stealthily finding victims, announcing its presence with ransom notes with demands of payment for the return of data. It has evolved from individual threat actors haunting organizations to a full fledge service model with the development of Ransomware as a Service (RaaS) which targets all organizations indiscriminately globally.

The threat of a ransomware attack has evolved to maximize criminal profitability by targeting industries that are most critical and provide invaluable services in times of needs, such as hospitals, and attempting to exploit their vulnerabilities regardless of human impact for monetary gain.

Stages of a Ransomware Attack

There are six primary stages to a ransomware attack (campaign, infection, staging, scan, encrypt, payday).  Understanding these stages helps you identify, detect, and take action on the threat.


This is the method that the attacker will use in their attempts to exploit an environment. There are many methods that they can utilize such as known remote exploits on web servers, weaponizing websites, or the most popular method sending malicious emails.

By far, weaponized emails are the go-to for ransomware attacks. They attempt to trick the reader to download the malware and initiate what they hope will be a corporate takeover. They have evolved their emails from mass spamming organizations to targeted social engineering phishing attacks. 


This is the stage that the malicious code has been executed. This is the official point that ransomware has taken hold of a system, however the data has yet to be encrypted. 


At this point in the attack chain, the ransomware has embedded itself into a system by making various changes to achieve persistence and has begun communicating with the Command and Control (C2) server which holds the encryption key.


This is the point where the malware begins to scan the infected host in order to find files to encrypt. Once completed, it will look for file shares and data stored in the cloud. It will evaluate the level of permissions it has access to via the compromised user/machine has such as read, write, or delete. 


When the malware has completed it analysis and inventory, it will initiate the encryption process. Local files are encrypted almost immediately then the malware moves to the network shares. The network data is copied locally, encrypted, then uploads it back to the share replacing the original document. 

Pay Day

At this point, the attacker has deposited the ransom note throughout the compromised portions of the environment. The ransom note contains the payment demand as well as payment details which is usually demanded to paid in bitcoin. Some variants apply a penalty model to their ransom where the price of the ransom increases as more time elapses. All the while, the attacker waits idly by to receive their ill-gotten gains in exchange for the decryption key. 

Detecting Ransomware

Since a ransomware attack occurs on many different fronts, a comprehensive defense-in-depth strategy is required. The attack vectors specifically target email, vulnerabilities, networks, and endpoints. As such, organizations need to invest in the technologies and programs needed to keep them secure and this is in addition to the traditional anti-virus software requirements.


As we discussed, the vast majority of ransomware attacks begin with email, either spam or targeted social engineering. To defend against that delivery vector, organizations need to invest in a Secure Email Gateway (SEG). A SEG monitors emails being sent and received and is designed to prevent unwanted or malicious emails from being delivered. They typically can identify spam, phishing, malware, and even fraudulent content. 

Vulnerability Management

Vulnerability management (VM) is a key program for reducing risk within an organization’s Information Technology solutions. The VM scanners will identify known vulnerabilities in technologies and apply a criticality rating. For example, it can detect an unpatched application that has a remote code execution vulnerability that is residing on an internet facing server. Such a vulnerable application in our example would be a highly desired target for malicious actors. Being able to identify and mitigate vulnerabilities is critical to hardening your environment. 

Endpoint Monitoring

All devices that are online within the network should be monitored for suspicious or malicious activity. This can vary from changes that occur on the device itself, who authenticated on the device, or even what was accessed. Newer technologies, such as Endpoint Detection & Response (EDR), have been developed to explicitly monitor these devices and the activities that occur within in them.

Network Monitoring

Network monitoring is a key component to having a healthy infrastructure. By performing this, an organization can see issues as they arise thereby allowing the appropriate teams to be engaged to stave off catastrophe. Additional benefits to this are identifying devices that being impacted by resource constraints or segments of the network that are congested thereby causing latency.

With all of the technology and security tools used in an organization, a wealth of data is generated. This data needs to be aggregated and consolidated into a single pane of glass.  It is too difficult for an administrator or security associate to login to numerous applications to monitor and respond. This is where a Security Information & Event Management (SIEM) solution comes in. By aggregating all of the aforementioned data into a single source, this allows administrators and security professionals to monitor all applications and systems simultaneously as well as quickly identify and respond as they arise. An attack can be traced across multiple technologies quickly which enables the technology teams to mitigate exponentially faster.

The Deepwatch Difference

Deepwatch Managed Detection and Response gives you the ability to ingest all of your data whether it be network, application, endpoint, email, etc. into Splunk, a best in breed SIEM. That data is enriched with our threat intelligence and then analyzed with our proprietary detections to identify malicious activity as it occurs. In addition to this, we apply behavioral analytics to aid in detecting unusual activity that occurs within your environment. 

Our vulnerability management solution and unique methodology ensure that you are apprised of the latest technology risks that your organization faces. We will collaborate with you to provide patch management advice and prioritization to stop threat actors from breaching networks or laterally moving within them.

With Deepwatch Endpoint Detection and Response and Firewall Management solutions, you can have firewall protection you need to defend against ransomware at the endpoint. Our service detects and blocks attacks and even the most complex threats actors who utilize diverse and sophisticated TTPs. We manage all aspects of the platforms including administration, threat intelligence and detection, customized policy management, and vendor support coordination.

When you combining these world class Managed Security Services together, you can get the full spectrum of services to identify and understand your risks, like ransomware, plus harden your environment, enrich your data with intelligence, patch vulnerabilities, and detect and respond to the threats that you will encounter.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog