What is a Ransomware Attack and How Do They Work?

5 min
Cybernetic Search

By Cybernetic Search

Globally, more than 72% of businesses experienced a ransomware attack, and in 2022, over 493 million ransomware attacks were reported by organisations worldwide. Additionally, by 2031, the threat of ransomware is forecasted to cost victims roughly $265 billion.  These types of cyber-attacks can cause significant harm to any company that utilises some form of tech, delivering severe financial and reputational damages that can force companies to shut down. 

With these alarming statistics looming over the cyber security space, we wanted to ensure as many businesses as possible understand what a ransomware attack is, how it works and the different types of ransomware that can threaten your organisation. 

In this guide, we’ll explore the following:

  • What is a ransomware attack?
  • How does ransomware work?
  • What are the different types of ransomware cyber-attacks?

What is a ransomware attack?

A ransomware cyber-attack is a formidable threat to cyber security. It consists of a hacker using malicious software to infiltrate systems or files, seize control and subject the victim's data to encryption. The intent behind a ransomware attack is to extort a payment from the victim in exchange for a decryption key that would grant the victim access to the systems or files the hacker had gained unauthorised access to.

Perpetrators behind these cyber-attacks typically set a deadline for the demanded ransom, and failure to comply can result in irreversible loss or public exposure of the compromised data. If this happened to your business, it could result in financial or reputational damages that could result in legal action or even the possibility of the closure of your organisation.

What sets ransomware apart from other malware and cyber threats is its method of engagement with victims. Unlike silent infiltrations, ransomware ensures that victims are made aware of the attack. The hacker will typically communicate their demands, often accompanied by explicit instructions on how the victim can pay the ransom and recover the encrypted data. 

Now you have an answer to the question of 'what is a ransomware attack?', let's highlight another important question: 'how does ransomware work?'

How does ransomware work?

We’ve established that ransomware is malicious software whereby hackers encrypt a victim’s data, holding it at ‘ransom’ and only providing the decryption key once the victim has provided a form of payment or met the attacker's demands. Before we discuss the different types of ransomware attacks that can impact your business, it’s essential to understand how these cyber attacks work. 

A ransomware cyber-attack follows strategic solutions encompassing various phases. We’ve outlined the key stages below to answer the question of ‘how does ransomware work?’:

  • Ransomware is distributed: To initiate the ransomware lifecycle, hackers will deploy various methods to distribute malware and gain access to a company’s data. 

The primary method attackers use to conduct a ransomware cyber-attack is through phishing emails, leveraging malicious attachments or embedded URLs. These deceptive emails, often camouflaged with social engineering tactics, prompt unsuspecting users to download attachments or click on links, triggering the initial infection process.

Other distribution methods also include exploiting software vulnerabilities, utilising Remote Desktop Protocol, credential theft, infecting removable devices, and compromising pirated software.

  • Command and Control: After successfully infecting a target device, the malware begins communicating with a command-and-control server (C&C server) externally located over the internet. 

The attacker controls C&C servers, which play a crucial role in sending encryption keys to the infected device. Additionally, the C&C server may download malware and network-probing software to facilitate the next phase of the ransomware attack. 

Hackers may also implement deliberate delays in communication with the C&C server to evade detection by malware prevention tools and other cyber security measures.

  • The discovery phase: This stage is not where the victim ‘discovers’ they have been exploited by ransomware. Instead, it’s the phase where the compromised device discreetly reaches out to other devices to target, initiating the dual process known as discovery and lateral movement. 

Discovery involves the hacker gathering information about the organisation's IT infrastructure, while lateral movement aims to infiltrate additional devices and elevate access privileges. This phase is where the malware is spread to other devices within the targeted business to enhance the effectiveness of extortion efforts in the subsequent stages. 

  • Encryption and data theft: Using the C&C server as a storage space, attackers will scan infected devices and upload the data they see value in. The perpetrator will conduct this phase discreetly, often deliberately taking weeks or months to carry out the malicious act of encryption and data theft to avoid being detected. 

Once the hacker steals the data, the ransomware encrypts it on the targeted devices using keys from the C&C server, removing the victim’s access to the device or data.

  • Extortion: The extortion phase will begin once the encryption of files and data through the malware has occurred. Here, victims will typically receive a message containing information about the infection, the ransom amount demanded, payment instructions, and a countdown timer or deadline.

    Cybercriminals may also utilise double-extortion ransomware tactics, threatening to publicly release the data they have taken from the business. They may even pursue triple-extortion scenarios involving additional elements like DDoS attacks or begin extorting customers and clients associated with the organisation.

By the time the cybercriminals have acted upon these phases, the company's business owner or IT department should have realised the attack had occurred. However, a ransomware attack sometimes goes unnoticed and spreads undetected for months. 

Regardless of when the attack happened, the affected business must act swiftly to isolate the infection. At this stage, it’s sensible to disconnect and shut down any affected devices before the infection continues to spread and cause further damage. 

It's important to note that paying the demanded ransom provides no guarantee of recovering all or any data or systems the hacker has infiltrated, and you may be targeted again in the future. Instead, you should report ransomware attacks to relevant authorities, such as the police.

What are the different types of ransomware cyber-attacks?

Similar to the various stages of a ransomware attack, there are also different types of ransomware cyber-attacks. Diverse strategies are employed to exploit vulnerabilities and extort victims, including crypto-ransomware, doxware, locker ransomware, ransomware-as-a-service (RaaS) and scareware. In this section, we’ll highlight each of these approaches to ransomware that cybercriminals will use to exploit your business. 


Regarding the different types of ransomware cyber-attacks, crypto-ransomware stands as the most prevalent and widespread. In these incidents, the attacker encrypts the victim's data, rendering it inaccessible without a decryption key. Typically, victims can still interact with their systems but cannot utilise the encrypted data.

Crypto-ransomware attacks are commonly spread through malicious emails, deceptive downloads and compromised websites. Some newer variants of this type of attack extend their reach to shared, networked, and cloud drives. Regarding this type of cyber-attack, victims are typically urged to pay a ransom in exchange for the decryption key. If they fail to comply with the demands within a specified deadline, the perpetrator may permanently delete the encrypted data.


Otherwise referred to as extortionate or leakware, doxware is another of the major types of ransomware you should know about. Doxware takes a different approach than other types of ransomware by threatening to release sensitive information on public domains rather than destroying it. 

This type of ransomware involves an attacker leveraging the fear of the victim’s private information becoming public, driving people and organisations to pay the ransom to prevent the data from being exposed. Doxware is particularly targeted at organisations, such as financial institutions, that handle confidential or sensitive data of businesses or individuals.

Locker ransomware

Locker ransomware is next on our list of the different types of ransomware cyber-attacks. With this type of ransomware, a perpetrator will lock users out of their systems, limiting access to a screen displaying the ransom demand. Unlike crypto-ransomware, locker ransomware focuses on restricting access rather than encrypting data.

These attacks often employ social engineering tactics and compromised credentials to infiltrate systems. Here, a victim’s device may display a pop-up or a screen displaying a notification that reads a message such as, “We’ve detected a virus on your device. Click here to fix the issue”. 

When the user clicks on the notification, they are blocked from accessing their systems until a ransom is paid. Often, a timer with a countdown or deadline is displayed on the user's lock screen, urging them to make the payment.

Ransomware-as-a-service (RaaS)

Ransomware-as-a-service (RaaS) represents a business model where cybercriminals adopt a similar approach to software-as-a-service (SaaS) to conduct ransomware attacks. RaaS operates as an affiliate network, enabling like-minded hackers with limited technical expertise to pay a subscription to launch ransomware attacks as and when they choose. Wannabe cybercriminals typically gain access to the ransomware strains via the dark web.

The anonymous affiliate subsequently earns a percentage of the ransom payment for hosting the service. Ultimately, by removing the requirement for extensive coding knowledge, the RaaS model has contributed to the surge in ransomware attacks. 


Scareware is another type of ransomware cyber attack you should know about. This type of approach relies on psychological tactics to trick, or as the name implies, ‘scare’ users into downloading malware by displaying alarming messages.

Attackers use prompts that appear official and urgent, such as pop-ups or threatening messages, similar to how we described the example message in our point on locker ransomware. These messages, such as “Your device has been compromised by an attacker. Click here to regain access to your device”, creates a sense of urgency that prompts users to take immediate action.

Scareware will often falsely claim a user's device is infected with a virus, pushing users to pay a fee or purchase software to resolve the non-existent issue. Some variants lock the computer, while others flood the screen with pop-up alerts without causing actual damage to files - similar to that of locker ransomware. 

Understanding these distinct types of ransomware can empower individuals and organisations to fortify their defences against evolving cyber threats. Now that you have the knowledge of what ransomware is, how it works, and its varying types, you’re probably wondering how to prevent ransomware attacks from causing reputational and financial harm to your business. 

In that case, we urge you to read our guide on How to prevent cyber attacks from impacting your business. Here, we delve into the common cyber security methods for preventing cyber attacks before giving you valuable advice on how to implement cyber security into your business. The information within this other guide can be used in instances where a ransomware cyber-attack poses a threat to your organisation.

The final word on ransomware cyber-attacks

Overall, it’s clear that ransomware cyber-attacks pose significant threats in the world of cyber security, leveraging malicious software to encrypt and control a victim's data with the aim of extorting payment for its release. We’ve outlined how a ransomware attack unfolds through strategic phases, including distribution, command and control, discovery, encryption, and extortion, with each playing a crucial role in the attacker's pursuit of financial gain or the exposure of sensitive information.

Notably, ransomware distinguishes itself by openly engaging with victims, making them aware of the attack and its consequences. Various types of ransomware, such as crypto-ransomware, doxware, locker ransomware, ransomware-as-a-service (RaaS), and scareware, employ diverse tactics to exploit vulnerabilities and coerce victims into compliance.

Understanding these distinct types of ransomware empowers individuals and organisations to fortify their defences against evolving cyber threats. Proactive defence measures and awareness are key to safeguarding against the potentially devastating consequences of a ransomware attack on your organisation - consequences that could cost your business money, damage your reputation and, as a worst-case but very real scenario, potentially see your organisation close down.

Therefore, knowing how to prevent ransomware attacks and other cyber threats remains paramount, so we encourage readers to scroll up and explore our guide on how to prevent cyber attacks from impacting your business. 

You can also learn more from our insights on cyber security by reading our guide: Why is cyber security important for your business?

Get in touch with a cyber security recruiter today!

If you’re concerned about being vulnerable to the potential threats posed by a ransomware cyber-attack, you need to equip your business or IT team with the market’s top cyber security experts who can protect your company. Thankfully, this is something we can support with. Our experienced team of cyber security recruitment specialists can connect you with the top talent who can prevent ransomware attacks and other cyber threats from impacting your business. 

Get in touch with one of our cyber security recruitment experts today and see how we can find the people to help prevent ransomware attacks from harming your brand.