Ransomware is one of the biggest cybersecurity threats in 2022.

This blog will highlight:    

  • The definition of ransomware.   
  • What the anatomy of a ransomware attack looks like.   
  • Preventing ransomware attacks.   
Sapphire Cyber Security: ransomware attacks which encrypt data

What is Ransomware?   

It is malicious software that denies organisations access to a system and/or data until they pay a ransom.   

Ransomware can affect an organisation by:     

  • Locking the system’s screen.   
  • Locking user and system files.   

Tenable suggests that:   

‘Ransomware is the most disruptive global cyberthreat we face today. This threat affects virtually every industry and stems from various root causes, all of which your security teams must account for in their defender strategies.   

To make matters worse, the ransomware threat continues to evolve.

Attacks are moving from broad-based phishing attacks casting a wide net to highly targeted attacks on specific organisations, and you should protect your organisation from both forms of attack.’    

Sapphire Cyber Security: ransomware infection which makes victims pay the ransom

The Anatomy of Ransomware Attacks     

Ransomware attacks are traditionally seen as being shared via phishing campaigns against specific targets.   

Attackers use several ways to distribute malicious software, such as drive-by downloads, USBs, and other portable devices.   

However the ransomware is delivered, the anatomy of an attack remains the same using the steps below.   

Reconnaissance Phase     

Research ensures that the target organisation has exploitable vulnerabilities. This means that the attack will be worthwhile. The analysis will identify the severity of the attack’s impact.   

Gain Access     

Gaining access is the next step in an attack.

Using the research gathered in the reconnaissance phase, attackers will attempt to compromise the organisation’s user accounts by:     

  • Brute-forcing passwords.   
  • Using default passwords.   
  • Obtaining credentials via phishing.   
  • Exploiting misconfigured access points.   
  • Purchasing compromised user accounts (usually accounts with admin privileges that give greater access to the organisation’s network).   

Maintaining Access to the Organisation     

Attackers can access an organisation for months before encrypting files or selling access to another criminal body.   

Destroying or Encrypting an Organisation’s Backups     

The objective of a ransomware attack is to deny the availability of resources and force the target into making a ransom payment in order to regain access.

Importantly, attackers often ensure that recovery is not an option by encrypting or destroying any backups they have.   

Attackers have developed strategies to traverse compromised networks, destroy backups, or create specialised strains to encrypt online backups.

These bad actors aim to force payment from the victim.   

Negotiation and Payment     

If the attack is successful, the next step is to begin the negotiation and payment phase.   

The ransom payment, which is often paid in cryptocurrencies, prompts the attackers to release a decryptor to access encrypted files.   

Many organisations choose to employ a third party Incident Response team to assist with the negotiation of the ransom.   

Recovery Phase     

Unfortunately, after an attack, many organisations are left with a clean-up exercise.

The organisation can suffer from:   

  • Income loss.   
  • Production restoration.   
  • Incident Response costs.   
  • Damage to reputation.  

However, even if a victim pays the ransom, there are still no guarantees that the criminals will recover any of the files after an attack. As a result, organisations can still feel the ramifications for months afterwards.   

Sapphire Cyber Security: ransomware victims exploited for sensitive data or encrypted data


Email is one of the most successful platforms to spread ransomware.

Attackers often use malicious links or attachments inserted into personalised or branded emails to look like they come from a legitimate source to dupe the receiver to click on the link.   

Drive-by Downloads     

Drive-by downloads occur when a user visits a compromised website that infects a device with ransomware.   

As a result, cybercriminals often work on legitimate websites to find security flaws and vulnerabilities. Criminals then embed their code onto the website or present copies of popular websites to lure visitors. 

USB/Portable Device      

As the popularity of cloud services increases, USBs are not used as frequently. However, they can still be used to infect computers and systems.   

In some cases, these devices are left lying around an office space by social engineers and cybercriminals.   

Open Remote Desktop Protocol (RDP) Ports     

Remote Desktop Protocol (RDP) allows IT administrators to access a PC or server, primarily for configuration or application access.   

If these ports have been exposed to the public internet or an untrusted network; it is possible for cybercriminals to access them and use them as a platform to deploy ransomware.   

Ransomware as a Service (RaaS)

Check Point suggests that:

“Finally, the ransomware threat has evolved due to role specialization and the creation of the Ransomware as a Service (RaaS) model for attacks.

Instead of a single group developing malware, infecting organizations, and collecting ransoms, ransomware authors now distribute their malware to “affiliates” for use in their attacks.

RaaS provides affiliates with access to advanced malware and enables the ransomware authors to scale their campaigns, increasing the ransomware threat.”

Sapphire Cyber Security: encrypting ransomware and stolen data via ransomware variants

How can I Prepare for Ransomware Attacks?   

Effective cyber security training for your organisation

This can help to raise your employee’s awareness of the risks associated with ransomware and other phishing attacks.  

Regularly backing up data in your organisation

Having regular, verified, offline backups of your organisation’s data can help safeguard your data in an attack.

Disrupt ransomware attack paths before they are exploited

Some organisations can combine both Risk-based Vulnerability Management and Active Directory Security. This enables an organisation to disrupt common attack paths.

Active Directory Security stops attackers from gaining a foothold and taking the next step in their attack.   

Prepare for the worst with cyber threat intelligence services

Threat intelligence services can provide crucial information about current and emerging threats to your organisation.

This foresight allows organisations to make informed decisions and reduce risk to their digital and corporate assets.   

Get in touch with our expert team for more information about how to protect your organisation against ransomware attacks! 

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *