Anatomy Of A Ransomware Attack

There is a notable increase in ransomware attacks within the last 12 months, with numerous organisations such as the Irish Health Service Executive (HSE) and Miami-based IT management company Kaseya both being targeted.

Successful ransomware attacks often lead to financial gains for attackers. As rewards can be large, ransomware continues to evolve, becoming more advanced.  However, the more we understand about the process of a ransomware attack the better we can defend against attacks.


Most ransomware attacks are made up of the following seven steps:


1. Delivery

All ransomware has to initially gain access to your corporate network. The most common ingress point for a ransomware attack is through human error. An employee could open a phishing email and click on a link or download an attachment that contains a ransomware dropper. 


2. Infection

Once the ransomware is downloaded onto a machine the infection begins. This initial infection can often be hard to detect. 


3. Command and Control Server

Once the ransomware has infected its initial hosting machine, it will then execute its malicious code and embed itself in your network. Once embedded it will attempt to make contact with the attackers servers and wait for instructions


4. Discovery

The ransomware will begin searching for company data to encrypt across any networks it can access. 


5. Lateral Movement and Credential Stealing

Some ransomware will move throughout your network, stealing credentials and escalating privileges to compromise more and more systems. The more data an attacker can collect for encryption the better for them.


6. Encryption

Once an attacker has gathered and identified which files are most sensitive to your organisation, they will begin to encrypt them. If an attacker has managed to access an organisation's back-ups and encrypt these also. 


7. Ransom

This is the part many of us would be most familiar with. We have all heard about the messages organisations have received from an attacker demanding a ransom to have their organisations file unencrypted. Once an attacker has successfully encrypted an organisation's files they issue a ransom demand. This ransom demand is typically a payment to be made via a digital currency such as Bitcoin in exchange for the decryption key so an organisation can retrieve their files.


How can Secora Consulting help you?

We offer a wide range of services which are tailored to your requirements. We can help you prepare for the worst-case scenario by simulating threats to your organisation.

Should you ever be on the unfortunate end of a cyber attack our in-depth knowledge and Incident Response service will have your organisation ransomware free and up and running in no time.

Partner with us today, our experienced consultants will go the extra mile to ensure your organisation stays secure by:


  • Validating implemented security controls.
  • Prioritising your risks based on their exploitability and impact.
  • Providing expert and effective advice to immediately improve your cyber security posture.
  • Understanding how uncovered issues will affect your organisation, operations availability and profitability. 
  • Recovery from incidents and cyber attacks. 

If you have any questions regarding ransomware or are unsure if the steps you are taking to help keep your organisation secure are working. Get in touch!

Further reading:

watermark secora outline

Our services

All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.

Concerned about Ransomware?.

Cybercriminals are ramping up their ransomware attacks. Secora Consulting can help your organisation ensure your cybersecurity posture is robust.