Ransomware: How It Works and How to Respond

Ransomware represents one of the most operationally disruptive categories of malicious software confronting US organizations across public and private sectors. This page covers the technical mechanics of ransomware attacks, their structural taxonomy, the regulatory obligations they trigger, and the documented response phases that govern professional incident handling. The Cyber Safety Listings directory identifies vetted professional services operating in this response landscape.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Checklist or steps (non-advisory)
• Reference table or matrix
• References

Definition and scope

Ransomware is formally defined by the Cybersecurity and Infrastructure Security Agency (CISA) as "a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable" until a ransom demand is satisfied. The scope of this threat spans healthcare, critical infrastructure, financial services, education, and government — no sector maintains structural immunity.

The FBI's Internet Crime Complaint Center (IC3) 2023 Internet Crime Report recorded 2,825 ransomware complaints in 2023 from US victims alone, with losses exceeding $59.6 million in reported damages for that category. IC3 acknowledges that reported figures represent a fraction of actual incident volume due to underreporting.

Ransomware events trigger reporting obligations under multiple federal and state instruments. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule at 45 CFR Part 164 requires covered entities to treat ransomware encryption of protected health information as a presumptive breach. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates covered entity reporting to CISA within 72 hours of a qualifying incident, with final implementing rules under development by CISA as of 2024.

Core mechanics or structure

A ransomware attack proceeds through a reproducible sequence of stages that align closely with the MITRE ATT&CK framework's enterprise kill chain. NIST SP 800-61 Rev. 2, the Computer Security Incident Handling Guide, frames incident phases as preparation, detection and analysis, containment, eradication, and recovery — each directly applicable to ransomware response.

Stage 1 — Initial access. Threat actors gain entry through phishing email attachments, exploitation of public-facing application vulnerabilities, or compromised Remote Desktop Protocol (RDP) credentials. CISA's Known Exploited Vulnerabilities (KEV) catalog documents dozens of CVEs actively leveraged for ransomware initial access.

Stage 2 — Execution and persistence. Malicious payloads execute via scripts, macro-enabled documents, or fileless techniques that reside in memory. Persistence mechanisms include scheduled tasks, registry run keys, and modification of boot sectors.

Stage 3 — Lateral movement and privilege escalation. Attackers traverse internal network segments using credential dumping tools, pass-the-hash techniques, and exploitation of unpatched internal systems. This stage extends dwell time — the period between initial access and ransomware detonation — which Mandiant's M-Trends Report has historically placed between 16 and 24 days for ransomware-affiliated actors.

Stage 4 — Data exfiltration (double extortion). Modern ransomware operators exfiltrate sensitive data before encryption. This creates a secondary extortion lever: pay or face public disclosure on a threat actor leak site. The CISA MS-ISAC Ransomware Guide identifies double extortion as the dominant operational model since approximately 2020.

Stage 5 — Encryption. The ransomware payload enumerates file systems and encrypts target file types using symmetric encryption (commonly AES-256) with the symmetric key itself encrypted by an attacker-controlled asymmetric key pair (commonly RSA-2048 or elliptic curve variants). This design makes decryption without the attacker's private key computationally infeasible.

Stage 6 — Ransom demand delivery. Ransom notes — dropped as text files or displayed as desktop wallpapers — specify payment amounts (typically denominated in Monero or Bitcoin), payment deadlines, and communication channels through Tor-hosted portals.

Causal relationships or drivers

The proliferation of ransomware as an attack category is attributable to a convergence of technical, economic, and structural factors.

Ransomware-as-a-Service (RaaS). The RaaS model industrialized ransomware deployment by separating payload development from attack execution. Operators maintain the malware infrastructure and take a percentage — often 20–30% — of ransom proceeds, while affiliates conduct intrusions. This arrangement dramatically lowers the technical barrier for new threat actors. The FBI's advisory on RaaS identifies LockBit, BlackCat (ALPHV), and Hive as documented RaaS platforms that collectively account for a disproportionate share of 2022–2023 US incidents.

Cryptocurrency payment infrastructure. Pseudonymous cryptocurrency transactions reduce the financial risk of ransom collection. The US Department of Justice's National Cryptocurrency Enforcement Team (NCET) was established specifically to address this dynamic, but attribution and asset recovery remain operationally constrained.

Expanded attack surface. Remote work adoption expanded reliance on RDP and VPN concentrators. CISA's 2022 Top Routinely Exploited Vulnerabilities advisory (AA22-117A) identifies unpatched internet-facing systems as the dominant initial access vector across ransomware campaigns.

Underinvestment in detection capability. Organizations lacking mature Security Operations Center functions — as structured in NIST SP 800-61 Rev. 2 — exhibit longer dwell times and broader encryption scope, directly correlating with higher recovery costs. The IBM Cost of a Data Breach Report 2023 placed the average total cost of a ransomware breach at $5.13 million, excluding any ransom payment itself.

Classification boundaries

Ransomware is not a monolithic category. Distinct operational variants carry different technical characteristics and response implications.

Crypto-ransomware. File-encrypting ransomware — the dominant form — renders data inaccessible through encryption without destroying it. Recovery requires either the attacker's decryption key or restoration from backup.

Locker ransomware. Locks the victim out of the operating system or device interface without encrypting underlying files. More common on consumer endpoints and mobile devices; less prevalent in enterprise environments.

Wiper-posing-as-ransomware. Malware that presents ransom demands but lacks functional decryption capability. NotPetya (2017) is the canonical example — classified by the US, UK, and EU governments as a destructive cyberweapon rather than financially motivated ransomware. CISA's NotPetya alert AA18-106A documents its use of the EternalBlue exploit.

Double-extortion ransomware. Combines file encryption with data exfiltration and threatened publication. Cl0p, LockBit, and ALPHV/BlackCat operate under this model, as documented in CISA's Stop Ransomware advisories.

Triple-extortion ransomware. Extends double extortion by threatening or executing DDoS attacks against victim infrastructure or directly contacting the victim's customers and partners to amplify pressure.

RaaS vs. targeted/nation-state. RaaS operations are financially motivated and opportunistic. Nation-state actors deploying ransomware-like tools (e.g., North Korean Lazarus Group campaigns documented in CISA advisory AA22-187A) operate with strategic objectives that may include revenue generation for sanctioned states alongside disruption.

Tradeoffs and tensions

The ransomware response landscape contains several areas of genuine institutional tension where competing obligations or strategic interests produce no clear-cut resolution.

Paying the ransom vs. not paying. The FBI and CISA formally discourage ransom payment, stating it does not guarantee file recovery and funds criminal operations (CISA ransomware guidance). Simultaneously, organizations facing irreplaceable data loss or operational shutdowns — particularly in healthcare — may face a binary choice between payment and patient harm. The Office of Foreign Assets Control (OFAC) advisory on ransomware payments introduces a third dimension: payments to sanctioned entities carry potential civil liability regardless of intent.

Decryption tool availability vs. operational delay. The No More Ransom project, a partnership between Europol, the Dutch National Police, and technology partners, maintains free decryption tools for documented ransomware strains at nomoreransom.org. Using these tools may resolve an incident without payment, but their availability is strain-specific and time-lagged relative to active campaigns.

Backup reliance vs. backup targeting. Offline and immutable backups represent the most reliable recovery path, yet sophisticated ransomware operators specifically target and delete Volume Shadow Copies and network-accessible backup repositories before encryption. This creates tension between backup architecture choices and operational convenience — cloud-connected backups that are accessible for rapid restoration may also be reachable by ransomware payloads.

Notification timing vs. investigation integrity. CIRCIA's 72-hour reporting window and HIPAA's breach notification obligations operate in parallel with active forensic investigation, during which the full scope of an incident may be unknown. Premature notification may be inaccurate; delayed notification carries regulatory exposure.

Common misconceptions

Misconception: Paying the ransom restores operations quickly.
Data from the Sophos State of Ransomware 2023 report — a widely cited annual survey of 3,000 IT professionals — indicates that even organizations receiving decryption keys face weeks of recovery time. Decryptors frequently operate slowly, produce corrupted files, or fail entirely on large or complex data sets.

Misconception: Ransomware only targets large enterprises.
The IC3's 2023 data shows that small and medium-sized businesses represent the majority of ransomware victims by complaint count. Attackers using RaaS affiliate models optimize for volume, not organizational size.

Misconception: Antivirus software reliably stops ransomware.
Modern ransomware variants use fileless execution, living-off-the-land techniques (abusing legitimate system tools such as PowerShell and WMI), and polymorphic payloads that evade signature-based detection. NIST's SP 800-83 Rev. 1 on malware incident prevention frames endpoint protection as one layer within a defense-in-depth posture, not a standalone control.

Misconception: Ransomware attacks are immediately obvious.
The dwell time between initial compromise and encryption can exceed 21 days in targeted campaigns. During that period, attackers conduct reconnaissance and exfiltration with no visible indicators. Detection requires behavioral monitoring, not only endpoint alerts.

Misconception: Decryption means full recovery.
Even successful decryption leaves systems in a potentially compromised state. Ransomware operators routinely install backdoors, remote access tools, and credential-harvesting utilities during the dwell phase. Decryption without full environment remediation leaves persistent attacker access in place.

Checklist or steps (non-advisory)

The following sequence reflects the documented incident response phases established in NIST SP 800-61 Rev. 2 and the CISA-MS-ISAC Ransomware Guide, presented as a reference framework for response phase structure.

Phase 1 — Detection and initial triage
- [ ] Identify affected systems through endpoint detection alerts, user reports, or network anomaly detection
- [ ] Determine ransomware variant using ransom note characteristics, file extension changes, and hash analysis against known databases (ID Ransomware, No More Ransom)
- [ ] Assess whether encryption is active or has completed

Phase 2 — Isolation and containment
- [ ] Disconnect affected systems from the network (wired and wireless) without powering off, to preserve forensic evidence in volatile memory
- [ ] Disable shared network drives and connected storage
- [ ] Block command-and-control (C2) communication at the firewall and DNS level
- [ ] Revoke compromised credentials identified through initial analysis

Phase 3 — Notification and legal engagement
- [ ] Report the incident to the FBI Internet Crime Complaint Center (ic3.gov) and CISA (cisa.gov/report)
- [ ] Assess HIPAA breach notification obligations under 45 CFR §164.400–414 if protected health information is involved
- [ ] Review OFAC sanctioned entity lists before any ransom payment consideration (ofac.treasury.gov)
- [ ] Engage legal counsel with experience in cyber incident notification obligations

Phase 4 — Investigation and scope determination
- [ ] Conduct forensic imaging of affected systems
- [ ] Identify initial access vector, lateral movement path, and exfiltration scope
- [ ] Determine whether backup systems were accessed or encrypted

Phase 5 — Eradication and recovery
- [ ] Rebuild affected systems from verified clean images, not from potentially compromised snapshots
- [ ] Restore data from offline or immutable backups after verifying backup integrity
- [ ] Validate decryption tool applicability through No More Ransom or law enforcement channels before deployment

Phase 6 — Post-incident review
- [ ] Document full attack timeline, detection gaps, and response decisions
- [ ] Align findings against NIST CSF 2.0 Identify, Protect, Detect, Respond, and Recover functions
- [ ] Update incident response plan to address identified gaps

The Cyber Safety Directory provides reference listings for forensic investigation, legal notification, and incident response service providers operating in this space.

Reference table or matrix

Ransomware variant comparison matrix