How Ransomware Actually Works: A Step-by-Step Breakdown

In May 2021, a ransomware group called DarkSide shut down the Colonial Pipeline — the largest fuel pipeline in the United States. Fuel shortages cascaded across the East Coast. Gas stations ran dry. The company paid $4.4 million in Bitcoin to get their systems back.

The attack wasn't science fiction. It wasn't a sophisticated nation-state operation with unlimited resources. It was a ransomware-as-a-service affiliate who bought access to the network from a criminal broker, used a compromised VPN password, and executed a well-documented playbook.

Understanding how ransomware works is not morbid curiosity — it's the foundation of knowing how to defend against it. The practitioners who design backup strategies, incident response plans, and detection logic need to understand exactly what ransomware does, in what sequence, and why each step exists.

The Misconception That Creates the Biggest Blind Spot

Most people think of ransomware as a simple equation: malware encrypts files, attacker demands payment, victim pays or loses data.

This model was accurate in 2016. It describes a tiny fraction of modern ransomware attacks.

What modern ransomware actually involves:

Contemporary ransomware operations are multi-stage, human-operated campaigns that look nothing like automated malware running a file encryption loop. They involve:

• Initial access brokers who sell network entry to ransomware affiliates
• Days or weeks of attacker presence before any encryption occurs
• Exfiltration of sensitive data before encryption (creating a second leverage point)
• Manual reconnaissance to find the highest-value targets within the network
• Deliberate sabotage of backup infrastructure before triggering encryption

The encryption event that organizations notice — the moment when files become inaccessible and ransom notes appear — is the last step in a process that has been running for days or weeks. By the time the encryption triggers, the attacker has already won in several important ways.

The question is no longer "how do I prevent ransomware from encrypting my files" — it's "how do I detect the attacker in the network before they reach the encryption stage."

Step 1: Initial Access — How Attackers Get In

The first step in any ransomware attack is gaining an initial foothold. Modern ransomware groups rarely exploit zero-days — they use the same initial access methods that all financially-motivated attackers use.

The Colonial Pipeline method: Compromised credentials

The Colonial Pipeline attack began with a single compromised VPN password for a legacy account. The credential was likely obtained from a previous breach of a different service where the same password was reused, then sold on a criminal credential marketplace.

This is the most common initial access vector for ransomware: compromised credentials for remote access services — VPN, RDP, Citrix, or cloud management consoles — purchased from initial access brokers who specialize in acquiring and selling network entry.

The second most common: Phishing

A targeted phishing email delivers a malicious attachment or link. The payload executes when the employee interacts with it, establishing a C2 (command and control) connection. Most phishing payloads in modern ransomware campaigns don't immediately encrypt anything — they establish a foothold and go quiet while the human operator takes over.

The third most common: Exploiting public-facing services

Unpatched vulnerabilities in internet-facing services — VPN appliances, Exchange servers, web application frameworks — provide direct access without any user interaction. The Hafnium attacks against Exchange Server in 2021 were used by multiple ransomware affiliates within days of the vulnerability disclosure.

What defenders should understand:

The initial access event is often invisible without specific detection. A VPN login with a valid credential from an unusual geographic location may generate a low-priority alert or no alert at all. Detection requires correlation: valid credential + unusual location + unusual time + no prior history of access from this location = high-confidence anomaly.

Step 2: Establishing Persistence and Command & Control

Once an attacker has initial access, their first priority is ensuring they can maintain that access even if the initial entry point is closed.

What persistence looks like in a real attack:

After using a compromised VPN credential to access a small regional hospital's network, the attacker's first actions are:

1. Download and execute a C2 implant — a malicious program that connects outbound to the attacker's server
2. Create a scheduled task that re-launches the implant if it's terminated
3. Add a registry run key so the implant launches on system reboot
4. Create a new local administrator account as a backup access method

Each of these creates redundancy. If IT discovers and removes the implant, the scheduled task relaunches it. If they find the scheduled task, the registry key is still there.

The C2 communication design:

Modern C2 implants communicate over port 443 (HTTPS) to domains that look like legitimate services. Some use legitimate cloud infrastructure — Dropbox, Google Drive, or GitHub — as C2 channels, because traffic to these services is typically allowed and not deeply inspected.

The implant "beacons" on a schedule — checking in every few minutes or hours — rather than maintaining a continuous connection. This reduces the network signature and makes traffic pattern detection harder.

An attacker who has established persistence has a stable operational base. They're not in a hurry. Modern ransomware actors often maintain presence in a network for weeks before triggering the final destructive phase.

Step 3: Reconnaissance and Lateral Movement

With a stable foothold established, the attacker's next objective is understanding the network and expanding access to reach higher-value systems.

What reconnaissance looks like:

A ransomware affiliate who has access to a single employee workstation at a manufacturing company runs BloodHound — an Active Directory enumeration tool that maps attack paths to domain administrator. It visualizes the relationship graph: which users have local admin on which machines, which service accounts have elevated privileges, which systems have unconstrained delegation.

Within minutes of running BloodHound, the attacker has a prioritized map of attack paths from their current position to domain administrator.

Common lateral movement techniques:

Pass-the-Hash: Windows stores credential hashes in memory. If an attacker can dump the credential hash from one system, they can use it to authenticate to other systems without knowing the actual password. Mimikatz is the tool most commonly used for this purpose.

Kerberoasting: Service accounts in Active Directory have Service Principal Names (SPNs). An attacker can request Kerberos tickets for these accounts and attempt to crack the password offline. Service accounts often have weak passwords set years ago that haven't been changed.

RDP with obtained credentials: Once an attacker has valid credentials, they use Remote Desktop Protocol to interactively access target systems. RDP sessions look like legitimate IT administration — distinguishing malicious RDP from legitimate management traffic requires context.

What the attacker is specifically looking for:

• File servers with large volumes of business data — these are encryption targets
• Backup systems — these are destruction targets
• Domain controllers — compromise here gives control over the entire Windows domain
• Management systems like SCCM or Ansible — these can push ransomware to all managed endpoints simultaneously
• Finance and executive systems — these contain the data most useful for double-extortion

Step 4: Exfiltration — The Second Leverage Point

Before encrypting anything, modern ransomware groups exfiltrate a copy of the most sensitive data in the organization. This creates double extortion: pay the ransom to decrypt your files AND pay to prevent the data from being published on a dark web leak site.

Why this changes the calculus for victims:

Before double extortion became standard (around 2019-2020), organizations that had good backups could theoretically refuse to pay — restore from backups, rebuild the environment, accept the operational disruption. Expensive and painful, but no ransom payment.

Double extortion eliminates this calculus. Even if backups are perfect and recovery is fast, refusing to pay means customer records, employee data, financial information, or intellectual property is published online.

What exfiltration looks like in practice:

The attacker uses legitimate tools like Robocopy, 7-Zip, and Rclone — tools that are typically allowed on corporate networks and don't trigger antivirus — to stage and compress the data before transferring it to an attacker-controlled cloud storage bucket.

Rclone, in particular, is a tool designed for syncing files to cloud storage. Attackers configure it to sync to their own Mega.nz or Dropbox account. The traffic looks like legitimate cloud storage synchronization.

A well-resourced attacker can exfiltrate terabytes of data over days using legitimate transfer tools over allowed ports. By the time encryption triggers, the data is already sitting on the attacker's infrastructure.

Step 5: Backup Destruction — Eliminating the Recovery Path

Before triggering encryption, sophisticated ransomware operators deliberately destroy or disable backup infrastructure. This is one of the most operationally damaging steps in the attack.

What backup destruction looks like:

Shadow copy deletion: Windows Volume Shadow Copy Service maintains automatic snapshots. The command vssadmin delete shadows /all /quiet deletes all shadow copies. This takes seconds and eliminates the built-in Windows recovery mechanism.

Backup agent disabling: Enterprise backup solutions (Veeam, Commvault, Backup Exec) run as services. Ransomware operators identify and stop these services, preventing backup jobs from running during the attack window.

Backup server targeting: If the backup server itself is compromised — which it often is after domain administrator access is obtained — the attacker can delete the backup catalog, corrupt the backup data, or encrypt the backup server along with everything else.

Network-attached storage targeting: NAS devices mapped as network drives are encrypted along with the rest of the network.

The backup architecture that resists ransomware:

The 3-2-1-1-0 rule: 3 copies of data, 2 different media types, 1 offsite copy, 1 immutable/air-gapped copy, 0 errors verified by test restoration.

The immutable copy — stored in a system where files can be written but not modified or deleted — is the critical element that ransomware cannot reach even with domain administrator access.

Domain administrator access means the attacker can touch everything connected to the domain. The only backups that survive a full domain compromise are ones that are not accessible from the domain: immutable cloud storage with separate authentication and air-gapped offline vaults.

Step 6: Deployment and Encryption

The encryption event itself is the final step and, in many ways, the most technically straightforward. By the time encryption triggers, the hard work is done.

How encryption is deployed:

With domain administrator access, the attacker uses legitimate administrative tools to deploy ransomware to all targeted systems simultaneously:

• Group Policy Objects (GPO): Push a logon script that executes the ransomware payload
• SCCM/Intune: Use the enterprise software deployment tools IT uses for legitimate software to push the ransomware package
• PsExec: Execute the ransomware remotely across a list of target systems
• Scheduled Tasks: Create a scheduled task on all systems via GPO, set to fire at a specific time

The simultaneous deployment is by design. If a single system encrypts and the victim notices, they might stop the spread. Triggering everything at once maximizes the damage and the pressure before containment can begin.

What the encryption actually does:

Modern ransomware uses strong, standard cryptography — typically a combination of AES-256 for file encryption and RSA or elliptic curve cryptography for key management. The attacker generates a unique AES key for each victim, encrypts files with that key, and then encrypts the AES key with their RSA public key.

The practical result: even if you have the ransomware binary, you cannot decrypt the files without the private key held by the attacker. The mathematics are sound. There is no "cracking" your way to the decryption key.

The timing design:

Many ransomware operators trigger the encryption event at a time calculated to maximize disruption and minimize immediate response: Friday evenings, before long weekends. Colonial Pipeline was attacked over a weekend. The attack timing is not random — it's chosen to extend the window between encryption and effective response.

What Organizations Get Wrong in Response

Mistake 1: Paying without containment

Paying the ransom and receiving decryption keys does not remove the attacker from the network. Unless the initial access path is identified and closed, the attacker can re-deploy ransomware. There are documented cases of organizations paying a ransom and being re-encrypted within weeks.

Mistake 2: Restoring from backup without rebuilding

Restoring data to a compromised network infrastructure leaves the attacker's persistence mechanisms in place. The attacker still has access. Effective recovery requires rebuilding the network from a known-good state, not just restoring file data.

Mistake 3: Assuming ransom payment means data won't be published

There is no honor among ransomware groups. Payment does not guarantee that exfiltrated data won't be published or sold.

Mistake 4: Incomplete backup verification

Discovering that backups don't work during an active incident is a catastrophic compounding failure. Backup testing — regular, documented restoration exercises — is the only way to know backups work before you need them.

The Defensive Architecture That Limits Ransomware Damage

Understanding the attack chain reveals precisely where defensive investment creates the most value:

Highest impact defensive measures:

• Phishing-resistant MFA on all remote access: The most common initial access vector is compromised credentials. MFA that cannot be defeated by credential stuffing (hardware keys or app-based TOTP, not SMS) prevents the attack before it starts.

• Endpoint Detection and Response (EDR): Modern EDR platforms detect BloodHound enumeration, Mimikatz credential dumping, shadow copy deletion, and ransomware encryption behavior. An EDR with aggressive detection policies catches the attack during lateral movement, not during encryption.

• Privileged access segmentation: Service accounts should not have excessive permissions. Domain administrators should not be logged into regular workstations. Separation of privileged access limits lateral movement paths.

• Immutable backups with tested restoration: The 3-2-1-1-0 rule with regular documented restoration tests. Immutable backups are the backstop when all other defenses fail.

• Network segmentation: Flat networks allow unlimited lateral movement. Segmentation containing workstations in separate VLANs from servers forces the attacker to traverse additional detection points with each pivot.

Closing

Understanding how ransomware works — the specific technical steps, the sequence, and the reasoning behind each phase — is foundational to almost every defensive security discipline. You cannot build effective detection rules without knowing what attacker behavior looks like in logs. You cannot design a resilient backup architecture without knowing how ransomware destroys backups. You cannot conduct an effective incident response without understanding what the attacker was doing for the three weeks before encryption triggered.

Ransomware is a solvable problem. Not prevention — the attacker always has options. Rapid detection and resilient recovery. That skill set is learnable, and it starts with understanding exactly what you're defending against.