Most people picture ransomware as a single dramatic moment: a skull on a screen, a countdown timer, a demand for Bitcoin. That image is a decade out of date. Modern ransomware is rarely the first thing that happens to a victim — it is the last thing, the noisy finale of an intrusion that quietly unfolded over days or weeks. By the time files start encrypting, the attackers have usually already mapped the network, stolen credentials, disabled backups, and exfiltrated gigabytes of sensitive data to hold in reserve. Understanding real-world examples matters precisely because they reveal this hidden lifecycle, and they show why “just restore from backup” is almost never the whole story.
Attacks That Reshaped the Landscape
A handful of incidents changed how defenders think about this threat.
- WannaCry (2017) spread on its own using EternalBlue, a leaked NSA exploit for a Windows SMB flaw. It was a worm — no phishing click required — and it crippled hundreds of thousands of machines worldwide, including large parts of the UK’s National Health Service, forcing hospitals to cancel appointments. It was stopped almost by accident when a researcher registered a “kill switch” domain hardcoded in the malware.
- NotPetya (2017) looked like ransomware but was really a destructive wiper disguised as one, seeded through a compromised Ukrainian accounting software update. It caused an estimated ten billion dollars in global damage, hitting shipping giant Maersk and pharmaceutical company Merck. The lesson: paying would not have helped, because recovery was never the point.
- Ryuk and Conti professionalized “big game hunting,” targeting hospitals, municipalities, and enterprises with patient, hands-on-keyboard intrusions and multi-million-dollar demands.
- Colonial Pipeline (2021), hit by the DarkSide group via a single leaked VPN password on an account without multi-factor authentication, shut down a major US fuel artery and triggered panic buying along the East Coast. It became the textbook example of how one weak credential can have national consequences.
- Kaseya (2021) showed the supply-chain multiplier: the REvil group exploited a flaw in remote-management software used by managed service providers, cascading encryption down to well over a thousand downstream businesses at once.
How Ransomware Gets In
Delivery has grown more deliberate over time. The most common initial-access routes today are:
- Phishing and malicious attachments — still the workhorse, often delivering a “loader” like a weaponized Office document or ISO file that pulls down the real payload.
- Exposed remote services — internet-facing RDP (port 3389) and VPN gateways with weak, reused, or unprotected credentials remain a favorite. Attackers buy these from “initial access brokers” who specialize in breaking in and reselling the foothold.
- Unpatched vulnerabilities — public-facing servers running outdated software, exemplified by the mass exploitation of file-transfer appliances like MOVEit and GoAnywhere.
- Software supply-chain compromise — poisoning a trusted update or a service provider’s tooling, as in NotPetya and Kaseya.
You can get a feel for how attackers survey their own targets with the same lightweight reconnaissance a defender would use. For example, a quick sweep for exposed RDP:
# Scan a range for hosts with RDP open — the classic ransomware entry point
nmap -p 3389 --open -sV 203.0.113.0/24Or a search for internet-exposed services you never meant to publish, using Shodan’s CLI:
# Find hosts in your org's netblock exposing RDP
shodan search 'port:3389 net:203.0.113.0/24'Finding these before an attacker does is one of the cheapest wins in security.
What Happens After the Breach
Once inside, modern crews follow a recognizable playbook. They escalate privileges (frequently by dumping credentials from memory with tools like Mimikatz), move laterally across the network, and hunt for the crown jewels — domain controllers, file servers, and backup systems. A defining tactic of the last several years is double extortion: stealing data before encrypting it, then threatening to publish it on a leak site if the ransom goes unpaid. This neutralizes the “we have good backups” defense, because restoring files does nothing to stop a data dump. Some groups have pushed further into triple extortion, adding denial-of-service attacks or directly harassing the victim’s customers.
A telltale technique defenders watch for is the deliberate destruction of recovery options — for instance, wiping Windows Volume Shadow Copies right before encryption:
vssadmin delete shadows /all /quietSeeing that command execute on an endpoint is a five-alarm fire. It means encryption is imminent and the attacker is closing your escape routes.
The As-a-Service Economy
The reason ransomware scaled so explosively is that it stopped being a craft and became a business. Under the Ransomware-as-a-Service (RaaS) model, a core group develops and maintains the malware, the payment infrastructure, and the leak site, then rents it out to “affiliates” who carry out the actual intrusions. Profits are split — often with the affiliate keeping the larger share. This specialization means the people breaking in do not need to know how to write encryption code, and the developers never have to touch a victim network.
Names churn constantly because groups rebrand to shed law-enforcement heat, but the model has been driven by outfits like LockBit, ALPHV/BlackCat, Conti, REvil, and Cl0p. When one is disrupted or its members arrested, its affiliates simply migrate to a competitor, which is why takedowns provide relief but rarely a permanent cure.
Why the Damage Runs Deep
The ransom demand is often the smallest line item. The real business impact comes from:
- Downtime — days or weeks of halted operations, which for a hospital or manufacturer can dwarf any ransom.
- Recovery labor — rebuilding systems from clean images, forensics, and incident-response retainers.
- Data-breach fallout — regulatory fines, breach-notification costs, lawsuits, and lost customer trust when exfiltrated data leaks.
- Long-tail effects — higher insurance premiums, reputational harm, and the strategic distraction of an executive team consumed by crisis for months.
Paying is legally fraught and offers no guarantee: decryptor tools are frequently buggy or slow, and paying marks you as a cooperative target for repeat attacks.
Getting Back on Your Feet
Recovery is a disciplined process, not a single restore button. The rough sequence that seasoned responders follow:
- Isolate, don’t power off. Disconnect affected machines from the network to halt spread, but keep them running where possible to preserve memory-resident forensic evidence.
- Identify the strain. Free services like the No More Ransom project can tell you if a working decryptor already exists, which occasionally saves a payment entirely.
- Preserve evidence and notify. Capture logs and disk images, then engage legal counsel, cyber insurance, and — depending on jurisdiction and sector — regulators and law enforcement.
- Eradicate before restoring. Find and close the original entry point and remove persistence. Restoring onto a still-compromised network just invites a second encryption.
- Restore from clean, offline backups. This is why the 3-2-1 rule — three copies, two media types, one offline or immutable — is the single most valuable investment you can make. Attackers explicitly target backups, so any copy reachable from the production network should be assumed compromised.
- Rebuild identity and rotate everything. Reset credentials, especially privileged and service accounts, and force new Kerberos keys since the attacker likely had domain-level access.
- Learn and harden. Enforce MFA everywhere, patch the exploited flaw, segment the network, and deploy monitoring for the exact behaviors — shadow-copy deletion, credential dumping — you now know to look for.
The Takeaway
Ransomware examples all rhyme, even across a decade of evolution. The technical payload — the encryption itself — is almost commoditized; what varies is how attackers get in and how much leverage they build before they strike. That is genuinely good news for defenders, because it means the highest-impact controls are unglamorous and well understood: multi-factor authentication on every remote entry point, prompt patching of internet-facing systems, network segmentation, and immutable offline backups you have actually tested a restore from. None of these stop a determined intruder cold, but together they turn what could be a company-ending catastrophe into a manageable, recoverable incident. The organizations that fare best are not the ones with the fanciest tools — they are the ones that assumed the breach would happen and rehearsed their response before they ever needed it.
