How Do Ransomware Attacks Work?
A typical ransomware attack happens in four phases.
1. Delivery
The first phase, delivery, is usually carried out by a phishing email designed to entice a user to open it. The email often appears to be from a trusted source, such as a well-known brand. Shipping companies, banks, and large retailers are commonly “spoofed” in phishing emails with messages about a delay in delivery, fraudulent purchases, low balances, and so on.
These emails are designed to look like they’re from familiar senders, but they include malicious files such as PDFs or Google Drive links. These files contain malware loaders that, once the file is opened, drop the malicious content onto the victim’s system and set up the attack.
2. Exploitation
In the next phase, exploitation, the attack spreads once the malware has been successfully loaded. This phase typically begins after the recipient opens an email attachment that transmits malware to a device.
If the infected device is on a network, the malware identifies the domain controller with which the device is communicating. Once identified, it steals credentials, allowing it to move throughout the network and infect other devices.
3. Callback
The next phase is the callback, wherein the malware payload attempts to communicate with its command-and-control (C2) servers where the stolen data is sent.
4. Detonation
The C2 servers then send the payload instructions on how to carry out the final phase: detonation. During this phase, the malware steals data and installs the ransomware, encrypting and locking the system or data so an individual or company can’t access it. The victim typically has a limited amount of time to pay the ransom before the data is lost forever, and sometimes, the ransom demands increase in the hours before the payment is due.
If the ransom is paid, victims are supposed to get a decryption key that allows them to retrieve their data back, but they don’t always get the key—and even when they do, it doesn’t always work.
In recent attacks, some criminals have begun stealing the data before encrypting it, and then threatening to expose it. This way, even if victims have good backups, they're more likely to pay the ransom.