Friday, September 5th, 2025
What Is Ransomware and How It Really Works

Ransomware is no longer just a nuisance malware family. It’s a business model run by professionalized criminal groups, complete with supply chains, profit-sharing, and SLAs of their own. Understanding how ransomware actually operates, from first foothold to payout, is the difference between hoping backups will save you and building real resilience.
What Ransomware Is
Think of ransomware as digital kidnapping. An intruder breaks in, seizes your data and systems, and demands payment to give them back.
A decade ago the play was simple encryption and downtime. Today, most campaigns add data theft (exfiltration) and threaten to publish sensitive information even if you can restore from backups. That “double extortion” is what turns an outage into a regulatory, legal, and reputational event.
Who Gets Targeted in Ransomware Attacks
Attackers care less about your industry and more about two levers:
- Likelihood of payment (sensitive operations, costly downtime, compliance exposure).
- Cost to compromise (weak controls, poor visibility, exposed services, reused credentials).
Yes, retail and healthcare grab headlines because outages are visible and painful, but any organisation with valuable data and an internet connection is in scope. Criminals often pursue low-hanging fruit: smaller entities with patchwork defenses can be as profitable as a marquee brand when the path in is cheap.
How The Business of Ransomware Works
Two market forces make attacks faster and more scalable:
Initial Access Brokers (IABs)
Specialist crews that steal credentials or exploit edge systems, then sell working access (VPN logins, cloud tenants, RDP, e-mail) to the highest bidder.
Ransomware-as-a-Service (RaaS)
Platform operators build the encryptors, payment sites, and affiliate portals. Affiliates run intrusions and share profits with the platform. If one platform is taken down, affiliates switch to another the same day.
The result: taking one gang offline rarely dents the overall volume.
How Attackers Break In
Cybercriminals rely on a few well-known but highly effective techniques to gain initial access into target environments. In this video, we explain the top three: phishing attacks that exploit human error, unpatched public-facing applications that expose systems, and the use of stolen credentials to move inside networks.
Phishing & social engineering: still the #1 root cause. MFA helps, but push fatigue and man-in-the-middle kits can capture sessions.
Stolen credentials: info-stealer malware vacuum browser-stored passwords and cookies; leaked creds circulate openly and on closed forums.
Exposed and unpatched services: public-facing apps, VPNs, SSO gateways, and file transfer tools with one-day vulnerabilities (known bugs before a patch exists).
Misconfigurations: overly broad access, weak conditional access, stale service accounts.
Once in, the goal becomes staying quiet, learning your environment, and moving towards data that hurts to lose.
The Ransomware Attack Chain
A typical campaign unfolds in stages. Critically, the “boom” at the end is preceded by days or weeks of activity you can detect and stop.
1. Foothold & persistence
Use valid accounts, register OAuth apps, plant scheduled tasks or login scripts. Spin up remote admin tools your IT team already uses (e.g., commercial RMM, remote desktop), blending in with normal administration.
2. Reconnaissance
Enumerate AD/Entra ID, file shares, backup systems, cloud tenants, EDR coverage. Identify “crown jewels”: finance shares, identity providers, CI/CD, data lakes.
3. Privilege escalation & lateral movement
Credential dumping from memory; Kerberos ticket abuse.
4. Living off the land (LoL)
Built-in admin tools and scripts, not noisy malware. Pivot across endpoints and servers until domain-wide control is feasible.
5. Data collection & exfiltration
Package sensitive data and exfiltrate via “trusted” services—OneDrive, Dropbox, S3, paste sites, even social APIs—so outbound traffic looks ordinary.
6. Impact
Disable EDR/backups where possible, then encrypt at scale. Drop the note, point to a leak site, and start negotiations.
If you only look for the final encryptor, you’ll miss the many chances to catch an intruder earlier.
Why Retailers & Other Complex Environments Suffer
Large estates—POS, e-commerce, warehouses, suppliers, MSPs—mean many moving parts and more chances for a small gap to become a big breach. Any sector with intertwined third parties and legacy tech carries the same risk profile. Complexity is the enemy of secure defaults.
Early Breach Signals That Matter
You don’t need perfect visibility; you need to notice the anomaly:
- A legitimate admin account suddenly touching dozens of hosts in a day.
- New or unusual remote tools appearing on endpoints.
- High-volume data egress to storage services not typical for that system.
- OAuth consents to unfamiliar apps; suspicious conditional access changes.
- New domain admins, or dormant accounts reactivated at odd hours.
These are exactly the kinds of behaviors a SOC, SIEM, or XDR can flag—if you collect the right telemetry and have playbooks to triage it.
How To Prevent Ransomware
- There’s no silver bullet; resilience comes from layered, boring, consistently-executed basics—and a few high-impact upgrades.
Identity & access (highest ROI):
- Phishing-resistant MFA (FIDO2/U2F keys) for admins and high-risk roles; avoid SMS/email fallback.
- Least privilege everywhere: limit global admin; time-bound elevation; split duties.
- Conditional access: device health, location, and risk-based policies to gate critical apps.
- Credential hygiene: stop browser-stored passwords; rotate secrets; block legacy auth.
Exposure & vulnerability management:
- Maintain a real asset inventory (on-prem, cloud, SaaS, identities).
- Patch internet-facing services fast; add virtual patching or WAF rules when you can’t.
- Continuously assess and prioritise—not every CVE is equal to your business.
Detection & response:
- Centralised logging (SIEM/XDR), tuned for behavior: lateral movement, mass encryption patterns, anomalous OAuth, suspicious data egress.
- EDR everywhere—including servers—and block unapproved remote admin tools.
- Network controls to throttle or block bulk exfiltration to cloud storage.
Backups & recovery:
- Immutable, isolated backups with routine restore tests; protect backup control planes.
- Map and practice minimum viable operations if core services are offline.
Proactive assurance:
- Regular penetration testing of apps, network, and cloud; fix what’s exploitable, not just what’s “critical” on paper.
- Red/blue/purple team exercises to validate detection and response in the real world.
- Tabletop exercises with IT, security, legal, comms, and execs—practice the hard calls before you must make them.
People & process:
- Ongoing security awareness that reflects current attacker tactics (MFA fatigue, consent phishing, deepfakes).
- Clear help-desk verification for password/MFA resets; extra checks for privileged roles.
- Vendor diligence: verify critical third parties actually test and monitor their security.
The Zero Trust Factor
Strip the jargon and Zero Trust boils down to a simple habit: don’t assume anything is safe—prove it each time. Verify user, device, and context for sensitive access; limit what any identity can touch; monitor continuously; and expect controls to fail occasionally. It’s not a product. It’s a posture.
Questions Every Leader Should Be Asking
- What are our crown jewels, and who can reach them today?
- Which internet-facing systems would stop the business if compromised, and how fast do we patch them?
- Do our admins use phishing-resistant MFA? Are there any SMS/email fallbacks?
- If someone starts exfiltrating to cloud storage, will we notice—within minutes?
- Have we restored from backups, for real, in the last quarter?
- When did we last run a tabletop? Who owns the first 60 minutes of a major incident?
If you can’t answer these confidently, start there.
How to Stop Ransomware
Cybersecurity isn’t just about advanced tools and EDR systems. Many organisations focus on software scans but overlook other assets such as routers, firewalls, CCTV, IoT devices, smartwatches and even employee email accounts hosted on third-party platforms. These overlooked assets create risk because they connect directly to your network or expose valuable data publicly.
Short term (weeks): tighten MFA (remove weak fallbacks), EDR coverage, SIEM detections for admin anomalies and mass encryption, help-desk reset policy, restore test.
Medium term (quarter): asset inventory, external attack surface reduction, prioritised patching, least-privilege admin model, tabletop exercises, targeted pen test.
Ongoing: monitor for leaked credentials, review third-party access, repeat purple-team drills, iterate detections based on what you learn.
Bottom Line
Ransomware thrives on complexity, credential reuse, and gaps between teams. The “ransom note moment” is the last step in a longer story that gives you multiple chances to detect and eject an adversary. If you reduce complexity, harden identity, watch for behavior—not just signatures—and practice your response, you can turn a potential catastrophe into a contained incident.
Read More from Our Latest News:
- What Is Ransomware and How It Really WorksLearn what ransomware is, the true ransomware meaning, and how ransomware attacks work — plus practical steps to defend your organisation.
- Password Security Strategies for Modern EnterprisesPasswords aren’t dead. Discover why weak password habits still put businesses at risk — and how to build a stronger password strategy.
- Why Identity Management Is Now Core to Cyber SecurityIdentity has become the primary security perimeter. Learn why attackers target identities and how to build resilience and protect your organisation.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.