Skip to content
Athenian Tech

Cyber Threats

Ransomware Explained: How Digital Extortion Works and How to Stop It

6 min read1,308 words

Most people picture ransomware as a dramatic red skull flashing on a screen, demanding Bitcoin within 72 hours. That image isn’t wrong, but it misses the point. By the time the ransom note appears, the interesting part of the attack is already over. Attackers have usually been inside the network for days or weeks — mapping shares, stealing credentials, quietly copying your data — and the encryption is merely the loud finale of a long, quiet break-in. Understanding ransomware means understanding that timeline, because almost everything that determines whether you survive an attack happens before that note ever loads.

What It Actually Is

Ransomware is malicious software that denies you access to your own data or systems, then demands payment to restore it. The classic mechanism is cryptographic: the malware encrypts files with a strong algorithm (commonly AES for the files themselves, with an RSA or ECC key protecting the AES key), and only the attacker holds the private key needed to reverse it. Without that key, the math is effectively unbreakable, which is exactly why the model works.

The impact rarely stops at locked files. A single incident can halt hospital operations, shut down a fuel pipeline, freeze a manufacturing line, or take a school district offline for weeks. The real costs are downtime, incident response, regulatory penalties, lost customers, and reputational damage — the ransom itself is often the smallest line item. That’s why ransomware is treated as a business-continuity threat, not just an IT problem.

From Floppy Disks to Cartels

Ransomware is older than most people assume. The first documented case, the AIDS Trojan in 1989, was distributed on floppy disks to researchers, hid directory names, and demanded a check mailed to a Panama P.O. box. It was clumsy and easily defeated, but the concept was there.

The threat matured alongside two enabling technologies. Strong, easy-to-use public-key cryptography made encryption genuinely unbreakable, and cryptocurrency gave attackers a way to collect payment without exposing a bank account. The 2013 arrival of CryptoLocker married both and set the template. Then in 2017, WannaCry and NotPetya showed the world what self-propagating ransomware could do, spreading across the globe in hours by exploiting a leaked Windows SMB vulnerability (EternalBlue).

The modern era is defined less by clever code and more by clever business models:

  • Ransomware-as-a-Service (RaaS): Developers rent their malware and infrastructure to “affiliates” who carry out attacks and split the profits. This lowered the technical bar dramatically.
  • Double extortion: Attackers steal data before encrypting it, then threaten to publish it. Now even a perfect backup doesn’t remove the leverage.
  • Triple extortion: Adding pressure by contacting your customers, launching DDoS attacks, or reporting breaches to regulators to force a payout.

The Anatomy of an Attack

Nearly every human-operated ransomware campaign follows a recognizable sequence, closely mirroring the stages in the MITRE ATT&CK framework:

  1. Initial access — usually phishing, stolen or weak credentials, exposed RDP, or an unpatched internet-facing service.
  2. Execution and persistence — establishing a foothold that survives reboots.
  3. Privilege escalation and credential theft — grabbing admin rights, often with tools like Mimikatz.
  4. Lateral movement — spreading across the network to reach domain controllers and file servers.
  5. Exfiltration — copying sensitive data out for the extortion leverage.
  6. Impact — deleting backups and shadow copies, then triggering encryption everywhere at once.

That backup-deletion step is deliberate. A common Windows command attackers run before encrypting looks like this:

Command Prompt
vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
bcdedit /set {default} recoveryenabled No

Those three lines wipe the Volume Shadow Copies and disable Windows recovery so victims can’t simply roll back. Seeing vssadmin delete shadows in your logs is a screaming red flag that encryption is imminent — and a good thing to alert on:

Text
# Sysmon/EDR detection idea: alert on shadow copy deletion
process_name: "vssadmin.exe" AND command_line CONTAINS "delete shadows"

Building a Defense That Holds

Because the attack chain is long, you get many chances to break it. Defense works best in layers, so a failure at one point doesn’t become a catastrophe.

  • Cut off the common entry points. Enforce phishing-resistant multi-factor authentication everywhere, never expose RDP directly to the internet, and patch internet-facing systems fast. These three measures block the majority of real-world intrusions.
  • Reduce the blast radius. Segment networks so a compromised laptop can’t reach the entire file server estate. Apply least-privilege access and limit which accounts hold domain-admin rights.
  • Protect your backups like they’re the target — because they are. Follow the 3-2-1 rule: three copies, two media types, one offline or immutable. Test restores regularly; an untested backup is a hope, not a plan.
  • Watch for the behavior, not just the malware. Endpoint detection and response (EDR) tools catch the actions of an attack — credential dumping, lateral movement, mass file changes — even when the specific ransomware strain is brand new.

A quick way to check whether you’re needlessly exposing remote-access ports is a simple scan of your own perimeter:

Shell
# Check for exposed RDP (3389) and SMB (445) from outside
nmap -Pn -p 3389,445 your-public-ip-range/24

If those ports answer from the public internet, close them or put them behind a VPN before an attacker finds them first — automated bots scan the entire IPv4 space for exactly this.

When Prevention Fails

Assume, eventually, something gets through. A calm, rehearsed response makes the difference between a bad week and an existential crisis.

The first instinct is often the wrong one: do not immediately power off machines, because volatile memory can hold encryption keys and forensic evidence. Instead, isolate affected systems from the network — pull the cable or disable the port — to stop the spread while preserving the scene. Then work through a prepared plan:

  • Contain by isolating infected hosts and disabling compromised accounts.
  • Assess the scope: what’s encrypted, what was accessed, and critically, what was exfiltrated.
  • Preserve evidence and pull in legal counsel and, where required, cyber-insurance and law enforcement (in the US, the FBI and CISA).
  • Recover from clean backups only after you’re confident the attacker’s access is fully removed — restoring into a still-compromised network just gets you encrypted again.
  • Report as required by regulations like GDPR, HIPAA, or breach-notification laws.

On the question everyone asks — should you pay? — authorities uniformly advise against it. Payment funds the criminal ecosystem, marks you as a willing target for repeat attacks, and offers no guarantee: decryptors are frequently buggy or incomplete, and stolen data may be leaked or sold regardless. It’s worth checking the No More Ransom project first, as free decryptors exist for many older or flawed strains. That said, the decision is genuinely hard when lives or a company’s survival are at stake, which is precisely why it should be war-gamed in advance rather than debated in a crisis.

Where This Is Heading

Ransomware keeps evolving toward whatever is most profitable and hardest to defend. Some crews now skip encryption entirely, relying on pure data-theft extortion because it’s faster and harder to recover from. Attacks increasingly target the software supply chain and managed service providers to hit hundreds of victims at once. And AI is starting to sharpen both sides — helping attackers craft more convincing phishing lures while helping defenders spot anomalies faster.

The through-line across three decades is that ransomware is fundamentally a business, and it responds to economics. It thrives on soft targets: unpatched systems, reused passwords, missing MFA, and untested backups. None of the defenses that matter most are exotic. The organizations that weather these attacks aren’t the ones with the biggest security budgets — they’re the ones that did the unglamorous basics well, assumed a breach would happen, and practiced their response before they needed it.