Anatomy of a ransomware attack: how it actually happens, step by step

When a company makes headlines for being "hit by a sophisticated ransomware attack," the word usually out of place is sophisticated. In most cases that show up in incident-response reports, the intruder walked through a door that was already unlocked: a VPN with no second factor, a password that leaked months earlier, a server missing the patch for a known flaw. The ransomware itself, the program that scrambles your files, is just the ending. The real attack is everything that comes before it. Knowing that anatomy is worth your time, because that's where you can actually stop the attack, almost never at the moment the screen turns red.

The business before the crime: RaaS and access brokers

The ransomware industry professionalized around a model called RaaS (Ransomware-as-a-Service). On one side sits the operator, who builds and maintains the malware, the payment portal, the leak site, and the negotiation team. On the other sits the affiliate, the partner who runs the break-in and fires the payload. They split the profit, like a franchise.¹

There's a third character: the Initial Access Broker (IAB). They break into networks and resell the access to whoever will deploy the ransomware. Listings even specify that a machine has no EDR or antivirus and comes bundled with a Domain Admin credential (the account that controls an entire Windows domain), because that raises the price.¹ In some cases the whole path from initial access to a completed ransom, including the handoff from broker to affiliate, takes less than an hour.¹

This arrangement also explains why taking down a single gang accomplishes little. After Operation Cronos, which dismantled LockBit's infrastructure in 2024, and the collapse of ALPHV/BlackCat, the affiliates simply scattered to platforms like RansomHub, Qilin, Akira, and DragonForce.² Pull the operator out and the partner network stays standing.

How they get in: credentials and CVEs, rarely "hacking"

The entry vector is less cinematic than people assume. In Verizon's 2025 DBIR, the annual report that dissected thousands of real breaches, the most common paths to initial access were credential abuse (22%), vulnerability exploitation (20%), and phishing (16%).³ The number that stands out: among ransomware victims, 54% had credentials already exposed in infostealer logs before the attack even started.³ An infostealer is malware that grabs passwords saved in the browser; the leaked login ends up for sale, and the "attack" begins with the criminal simply logging in.

Mandiant, which investigates incidents for Google Cloud, measured a similar split specifically for ransomware intrusions in 2024: exploit at 26%, prior compromise at 21%, and stolen credentials at 15%.⁴ CISA's public advisory on the Akira group illustrates the pattern: access mostly through a VPN with no MFA, exploiting known CVEs, plus exposed RDP and phishing. The associated campaign is reported to have hit more than 250 organizations and totaled around US$ 42 million in ransoms through April 2024.⁵

A note on method: some operational details in CISA advisories (the exact tool lists, each group's encryption algorithm) couldn't be confirmed from the original document during this reporting, so they're left out here. What's above comes from the advisories as reproduced by reliable security sources.

Inside: days of recon, minutes of encryption

Once inside, the attack is human-operated: there's a live person at the keyboard. The intruder does recon, checks which security tools are running, identifies privileged users, and adapts when something fails.¹ That's why two attacks from the "same" group can look different. The typical sequence, mapped to the MITRE ATT&CK framework, goes roughly like this:

1. Initial access: VPN without MFA, a CVE, RDP, phishing, or a purchased credential.
2. Execution and persistence: legitimate built-in tools ("living off the land") mixed with custom malware, which makes detection harder.
3. Credential theft and escalation: the goal is to reach Domain Admin.
4. Discovery and lateral movement: they map the network and spread, typically over RDP and SMB.
5. Defense evasion: they kill antivirus/EDR and delete the backups and shadow copies (Windows' automatic restore copies).
6. Exfiltration: they copy the data before encrypting. This is double extortion: even if you restore everything, they threaten to leak.
7. Impact: they trigger the encryption, almost always in the small hours.

How long does this take? The global median dwell time (how long the intruder stays in the network undetected) was 11 days in 2024, per Mandiant. When it's the attacker who notifies the victim, which is the signature of ransomware, the ransom note gives away the presence and the median drops to 5 days.⁶ And it's shrinking. 2023 industry data already put ransomware deployment at under 24 hours in roughly two-thirds of cases, and under 5 hours in more than 10%, with 81% of payloads launched outside business hours.⁷ That "we'd have caught it in time" assumption doesn't hold up against the numbers.

On the encryption itself: it's fast because it's hybrid. The malware generates an AES key (symmetric, fast) per file to scramble the contents, then locks each of those AES keys with the attacker's public RSA key, which only they can open.⁸ That's why encrypting terabytes takes minutes, not hours, and why "finding the password" gets you nowhere: without the private RSA key, which the criminal holds, there's no way back. Modern variants use intermittent encryption (scrambling only chunks of each file) to go faster still and dodge detection.⁸

Pay or not: the deciding role of backups

The payment rate has collapsed. Coveware, which negotiates incidents, recorded 25% of victims paying in Q4 2024, an all-time low at the time, falling to 23% in Q3 2025.⁹ For comparison: it was 85% in early 2019.⁹ In Q4 2024 the average ransom was US$ 553,959 and the median was US$ 110,890.¹⁰ Victims of pure exfiltration, with no encryption, still paid in 41% of cases: data extortion has become the more effective lever.¹⁰

The factor that most changes the game is the backup. Per Sophos, victims with compromised backups faced a median demand of roughly US$ 2.3 million versus US$ 1 million with intact backups, and were nearly twice as likely to pay (67% versus 36%).¹¹ That's exactly why attackers hunt the backup before encrypting. And paying guarantees nothing: FBI guidance notes that some victims never received a decryptor and that some who paid were hit again.¹² Acta Verum reports here, it doesn't advise: the decision to pay is a legal and business call, not an editorial one.

What the community is saying

Among IT and security pros (r/sysadmin, r/cybersecurity, r/msp), the tone is fatalistic and annoyed, not panicked. The line that captures the mood: it's not magic, it's basic hygiene that was missing. Ransomware gets treated as an industrialized commodity, and the bigger frustration is that most cases were preventable, with MFA, patching, and network segmentation.

Where there's consensus: the fault almost always sits in the fundamentals, and the immutable, tested backup is the unglamorous hero nobody praises until the day it's the only reason you're not negotiating bitcoin at 3 a.m. Where the community splits is on pay or don't pay. One side says never, it funds crime and marks you as a payer. The other, more pragmatic and usually from people who've lived through an incident, points out it's easy to say when it isn't your payroll frozen. A recurring sentiment on r/sysadmin sums up the irritation: stop calling it a sophisticated attack, they got in through an MFA-less VPN with a password from an infostealer dump; the sophisticated part was the gang's marketing, not the break-in. (These are paraphrases of consensus sentiment, not verbatim quotes; Acta Verum's crawler can't reach individual Reddit threads.)

Verdict

The lesson of the anatomy is practical: ransomware is the symptom, not the disease. The disease is zero visibility, days of an intruder rummaging through Active Directory and deleting backups with no one watching. If the first you hear of the incident is the ransom note, the failure wasn't the encryption, it was detection and the entry before it. The three points where the attack stalls all come before the payload: MFA on anything that grants remote access, patches for known CVEs, and a backup that's offline, immutable, and restore-tested. None of it is glamorous. That's exactly why it works.