Ransomware is a continually evolving form of malware that represents an active and expansive cyber security threat. In 2021, 37% of businesses and organizations experienced ransomware attacks. Businesses lose billions to ransomware every year.

Hackers now use the Ransomware-as-a-Service (RaaS) model to target as many organizations as possible. Motives largely circle around criminal profitability and intellectual property theft. In some instances, little regard is given to the type of organization hit with ransomware; hospitals, and other essential organizations have felt the human impact.

An inside look at how a ransomware attack works can help business and information security leaders identify prevention strategies, mitigate risks, maintain assets, avoid data leaks, and steer clear of law suits.

In 6 stages, anatomy of a ransomware attack 

Ransomware attacks typically consist of six individual stages (campaign, infection, staging, scanning, encryption, and remuneration).


Ransomware attacks start with a campaign. The word “campaign” refers to the method that a hacker uses to deliver an attack. Many attack delivery options exist, from remote exploits on web servers, to the weaponization of websites, to simply sending malicious emails.

Broadly speaking, weaponized emails represent a key strategy for ransomware attackers. Such emails aim to convince or coerce readers to download malware and to unwittingly initiate a ransomware attack. These email campaigns have evolved from mass-spamming efforts to highly targeted social engineering initiatives.


At this stage, malicious code has been deployed. Ransomware will have spread across a system, although the data might have eluded decryption.


Staging occurs when the ransomware embeds itself into a system by making subtle changes that allow it to achieve persistence. At this point, the ransomware has also begun communicating with the command and control (C2) server, which maintains the encryption key.


Scanning occurs when the malware begins to scan the affected network in order to identify files to encrypt. Upon completion, the malware searches for file shares and data stored in the cloud. Permissions levels will dictate precisely what happens next.


After the malware completes its analysis and inventory, it initiates an encryption process. Local files receive near-immediate encryption. Then, the malware moves to shared files on the network. Data on the network is copied locally, encrypted, then uploaded back to the share so that it replaces the original document.


In order to collect payment, hackers commonly send a ransom note to network owners’ devices. The ransom note explains how to pay the ransom and payment details (Bitcoin, or other special requests). In some instances, hackers put network administrators on a clock by increasing the price of the ransom as time elapses. Some of the most sophisticated of cyber criminals even offer “customer service” lines for their victims. Hackers may or may not provide the ransomware decryption key in exchange for payment.


The anatomy of a ransomware attack is complex. Understanding it can help your organization prevent intrusions. Furthermore, be sure to provide employees with cyber security awareness training, ensure that your organization maintains usable backups of all critical data, test your backups regularly, apply patches as needed and in a timely manner, and deploy proven, effective threat detection tools.

Lastly, for more information about preventing ransomware attacks, read our ransomware e-book.