How Ransomware Works

Ransomware attacks are a serious information security threat which can paralyse business operations and negatively impact an organisation. This article by DeltaNet International looks at how ransomware works, the various tactics used by cybercriminals and the ways to mitigate the risks.

How Ransomware Works

Compliance Knowledge Base | Cyber Security Training

Posted by: Shruti Desai Published: Mon, 28 Sep 2020 Last Reviewed: Mon, 28 Sep 2020
How Ransomware Works

As per the 2019 Verizon Data Breach Report, ransomware is the second most frequent malware attack. Any organisation that relies on data and business information, regardless of their size, is a potential target for a ransomware attack.

Ransomware is a type of malware attack that is designed to infect systems, encrypt user files and data and render them inaccessible. Cybercriminals demand a ransom – sometimes in the form of cryptocurrency – in exchange for restoring access to systems and data. The main target of a ransomware attack is data and every location data can be found - including the computer, server and the cloud.

To prevent ransomware attacks, it is also important to understand how ransomware attacks work and the different types of ransomware attacks that can affect organisations.

How Ransomware Attacks Work

Ransomware is a multistage attack spread across four key stages:


The first and most important stage where hackers deliver malware that will compromise business data and information through a ransomware attack.


Once the malware makes its way into the user's system, it quickly encrypts business data and files, rendering it inaccessible to users and disabling business operations.


When encryption is completed, the business is at the mercy of the cybercriminals. At this stage, there is usually a ransom demand, often in the form of cryptocurrency, in exchange for restoring access to data and files.


If a ransom is paid, a key is provided to decrypt the files. In many cases, this key never arrives even after the ransom is paid up. Whether a business chooses to pay up or not, there is a long road to recovery getting systems back up and running and restoring data.

How Ransomware Works

Types of Ransomware Attacks

Ransomware attacks target businesses in many ways with the main goal of encrypting business files and data and demanding a ransom in exchange for decrypting files and restoring access. It is achieved in the following ways:


It is estimated that 91% of successful data breaches start with a phishing attack. Hackers use phishing to trick users into opening suspicious-looking emails, clicking on malicious links to infect their computers with ransomware. Phishing scams work by making emails and websites look legitimate and trustworthy, convincing a user to take the required action. There are two main types of phishing attacks:

  • Malicious links - An email, an SMS or a social media post with a link to a malicious website. The malicious website is designed to look legitimate and requires the user to enter confidential details such as user credentials. These are then used by cybercriminals to target the user, enter their systems and encrypt files.
  • Attachments or downloads - Delivered through an email, a file containing malicious software which when downloaded to the system, quickly spreads to other systems in the network and infects the entire network with ransomware.

Vulnerabilities in Security

Some ransomware attacks target vulnerabilities in system or endpoint security and infect systems from the inside. These usually rely on out-of-date security or systems, for example, when system security is not kept up-to-date or important patch updates are not installed. The WannaCry ransomware attack in 2017 exploited a security loophole in the Microsoft Windows operating systems. Before a patch update was provided to close the security loopholes, it is estimated to have infected 200,000 computers globally.

Malicious Applications

Fraudulent applications downloaded to mobile devices without realising that they could contain ransomware which can disable access to the device files and data. Such apps don't infect the device by just downloading them. Such apps rely on permissions granted by the user to devices files with the risk that it could compromise important business information and data. Access to the device is disabled until a ransom is paid.

USB and Portable Storage Devices

Ransomware bundled onto USB and portable storage devices to target unsuspecting users who may not be aware that the storage devices are tampered with. Once the device is plugged into a user's system, it quickly infects their system and can spread further. It is important to not leave USB and portable storage devices unattended. Never use unauthorised storage devices without running it past your IT department.

Get in Touch

When you send us a message one of our friendly, knowledgeable eLearning experts will contact you as quickly as possible

* Required Field

Get in Touch

Get in Touch

+44 (0)1509 611 019

We'd love to talk to you about how we can help. Please leave your details below and a member of our team will get back to you.

* Required Field