Understanding the 4 Phases of Ransomware attack and how to be safe

Barbara Ericson
7 Jun
4 min read

Definition of ransomware:Ransomware refers to a type of cyber threat where attackers exploit a victim's data or critical infrastructure and demand a monetary ransom. In recent years, ransomware attacks have become more prevalent and sophisticated, evolving into an underground economy. Cybercriminals are motivated by financial gain, as many victims opt to pay the ransom out of desperation to retrieve their data.

Phase 1: Initial Compromise

During this phase, the attacker gains unauthorized access to the victim's environment. Common methods used include phishing, the use of pirated software, brute force attacks, exploiting vulnerabilities, and stealing credentials.


  • Regularly update software and promptly address vulnerabilities.
  • Implement multi-factor authentication and enhance password security.
  • Enforce user and device validation based on the Zero Trust model.
  • Provide comprehensive training to employees on recognizing phishing attempts.
  • Utilize threat intelligence to proactively prevent known threats and identify malicious actors.

Phase 2: Escalation

In this phase, the attacker solidifies their position by elevating their privileges and moving laterally within the victim's environment. They aim to gain control over more systems and expand their reach. Common methods include exploiting known vulnerabilities, deploying malware, and establishing persistence.


  • Enhance session security for administration portals.
  • Restrict account access to sensitive data using privileged access management.
  • Continuously monitor resources for any abnormal activity.
  • Deploy state-of-the-art tools to detect known threats.
  • Implement automation to isolate compromised resources.

Phase 3: Exfiltration

During this phase, the attacker either steals the victim's data or restricts access to critical systems, preparing for the ransom demand. They may locally deploy malware to endpoints, employ defense evasion techniques, and encrypt business-critical files.


  • Regularly perform thorough data backups.
  • Leverage cloud storage and utilize its robust versioning capabilities.
  • Review and manage user permissions to sensitive data.
  • Minimize broad read/write permissions for critical data.
  • Implement controlled folder access to designate protected folders.

Phase 4: Ransom

In the final phase, the attacker contacts the victim, makes their ransom demands, and takes action accordingly. This can involve communication through messaging software, with payments typically requested in cryptocurrency to hinder tracking and tracing.


  • Maintain a comprehensive disaster backup and recovery plan, ensuring the protection of backups.
  • Keep in mind that paying the ransom does not guarantee the return or decryption of data. On average, organizations that paid the ransom only recovered 65% of their data, with 29% receiving less than half.
  • Conduct a thorough cleanup and removal of all attacker persistence to prevent future attacks.

Let's work together to safeguard against ransomware!

Barbara Ericson
A longtime open source contributor, with extensive experience in DevOps principles and practices. Barbara is especially interested in helping IT businesses and organizations implement DevOps, cloud-native technologies, and open source.