The five phases of a ransomware attack

The five phases of a ransomware attack

To choose the right antiransomware solution, you first need to understand the problem. Let us take a look at the five phases of a ransomware attack. Understanding each phase and being able to recognize the signs can help to defend your business against an attack effectively, or at least to lessen its effects. Do not forget that these attacks happen very quickly (around 15 minutes from infection to receiving the message demanding a ransom in return for data “recovery”). Hence the importance of a real-time protection system, like Mitra Antiransomware.


Exploitation and infection (T -00.00)

For the attack to be carried out, the ransomware file needs to be downloaded on a computer. This often occurs through a phishing email or a malicious exploit kit code.

Delivery and execution (T -00.05)

During this phase, the actual ransomware is delivered to the victim’s device. After downloading it, persistence mechanisms are implemented.

Backup hijacking (T -00.10)

Shortly after, the ransomware attacks the files and folders with backup copies in the victim’s system and deletes them to ensure that the backup copies cannot be used to recover the data. This is unique to ransomware: other fraudulent software do not eliminate backup files.

File encryption (T -02:00)

Once the backup files are deleted, the malware performs a secure key exchange with the command and control server (C2). This establishes the encryption keys which will be used in the local system.

User notification and clean-up (T -15.00)

After the backup copies are deleted and encryption is complete, the user receives instructions on how to recover their data, and they are coerced into making a payment (usually in bitcoin). Generally, a company will be given a few days to make the payment, after which the amount will increase.