Three Phases of a Ransomware Attack

When you’re looking for a way to defend your company against a threat, it helps to break the threat down into smaller parts. Where does it come from and how do we stop it? How does it spread and how do we stop that? If we can’t stop it, what do we do after the attack?

If we use this approach to break down a ransomware attack, we get three distinct phases:

  • Delivery – malicious content containing the ransomware attack method arrives
  • Infection – the payload detonates and/or the endpoint spreads the infection
  • Recovery – Restoring data to the state before the attack

Breaking the ransomware threat down into this structure allows us to more fully examine our exposure to the threat.


The first stage we’re looking at is delivery. This is the point in time when the ransomware or the ransomware-enablement enters the network. There are a couple of different considerations here: the nature of ransomware, and the multiple threat vectors it uses.

The nature of ransomware

Ransomware is a specific subset of Advanced Threats. This means that it is a sophisticated piece of malware, repackaged frequently to avoid detection. To defend against this smarter breed of malware, you need Advanced Threat Protection (ATP), ideally an ATP solution that can employ the intelligence gathered by the others. This makes processing faster and more scalable. ATP should be used across threat vectors, to be safe, you should assume that all threat vectors will be used in an attack.

The threat vectors

Here’s a breakdown of threat vectors:

Email Email is the #1 threat vector of all. Most malware deliveries are attempted through this vector.
Web Drive-by downloads, cross site scripting attacks, social media vulnerabilities, and infected ads can all deliver malware to an endpoint.
Network Attackers can deploy automated tools to scan networks and find openings that allow them to enter the network. Once inside, they may find a way to deploy additional malware on the network.
Application One of the most vulnerable and least understood vectors. Web applications like webmail, shopping sites, online forms, etc., are exposed to the public and are sometimes vulnerable to exploits.

Each of the above threat vectors is a point of attack for a ransomware criminal.


Next we look at the infection phase. This phase begins when the ransomware process is executed in the network, and it often uses a different method of attack than the delivery. For an example, take a look at the Airline Phishing Scam Barracuda uncovered in March covered in the March:

The first technique is impersonation. The attacker will either impersonate a travel agency or even an employee in HR or finance that is sending an airline ticket or e-ticket. The email will be constructed to appear inconspicuous to the untrained recipient.

After getting the employee to open the email, the second tool employed by the attacker is an advanced persistent threat embedded in an email attachment. … In this attack, the malware will be executed upon the opening of the document.

As you can see, impersonation is used to deliver the malware, and an advanced persistent threat in an email attachment is used to detonate the ransomware and encrypt the user’s files and distribute copies of itself searching for more victims.


The worst case scenario is a successful ransomware attack, which brings us to recovery. In this phase, you stop the ransomware attack, remove it from the network, check for any additional malware that may enable further infection, and test the endpoint antivirus. After you have cleaned and hardened the network, you use your backup to recover your files. Your network and endpoint protection has to be up to date and working properly, so that you’re not restoring any infected files.

Obviously this phase will be customized for your environment, and you may have more or less tasks to perform here. You may want to examine logs, interview employees, recommend new security solutions, compare before / after states, and evaluate your disaster recovery solution. Management and IT can work together to determine what is most appropriate during the post-infection phase.

If you remember only one thing from this post, remember this: this phase is about recovering from a ransomware attack, and not just recovering files. A successful ransomware attack causes downtime, user frustration, lost productivity, lost business, and more. If you are in this phase, the best you can hope for is that the ransomware is easy to clean and your backups are all current and intact. Relying on data backup as your only ransomware defense is a path to failure.

Latest posts by Ben Bartle (see all)

2 thoughts on “Three Phases of a Ransomware Attack”

  1. There are many people who do not really know how actually he ransomware attacks a system. in general, there are three main phases like Delivery that means the malicious content containing the ransomware attack method, then comes Infection, it spreads the infection and last comes the Recovery that means how we restore data to the state before the attack.

Comments are closed.

Scroll to Top