Skip Navigation
BlackBerry Blog

Anatomy of a Ransomware Attack: 8 Stages of Operation [White Paper]

It’s a dark and rainy night. Thunder rumbles. Lightning flashes. An unexpected crime takes place. Intrigue and deception follow, with a mystery to solve.

When it comes to fiction, you might enjoy reading a good mystery to figure out “whodunnit.” Not so, when that crime is a ransomware attack with a digital note telling you that threat actors have compromised your organization’s network, encrypted all your files, and are demanding immediate payment to restore your operations.

The Cost of Ransomware: More Than Money

In 2021, the average cost of a ransomware attack hit $1.85 million – a 41% increase from the previous year. This includes the ransom, downtime, people time, device cost, network cost, lost opportunity, and more. But beyond the financial and reputational cost, there’s another impact few companies talk about: leadership turnover. Recent research reveals that 32% of the time, C-level employees depart the organization after a successful ransomware attack. To add insult to injury, 80% of targeted organizations are hit by a repeat attack.

These are the reasons SANS Institute’s Senior Instructor Jake Williams, and BlackBerry Principal Incident Response & Forensics Consultant Ryan Chapman, joined forces in a recent SANS webcast to explain the various stages of a ransomware operation, and steps organizations can take to lessen vulnerability. Their insights are also echoed in the free white paper Anatomy of a Ransomware Operation.

“Ransomware is no longer just an executable that drops onto a device and then does bad things on that device,” Chapman says in the webcast. “Rather, it is an overall operation, and it's carried out by humans with their hands on the keyboard.”

Threat actors are “doing things human-operated,” Chapman concludes. “You should too. If you don't have enough security-minded folks, then that's where managed detection and response comes in.”

Stages of a Ransomware Attack

In the webcast, Williams and Chapman list eight distinct stages in a typical ransomware attack:

  1. Initial access – how it's usually accomplished, and why detecting attacker backdoors is so difficult
  2. Command and control – and the keys to detection
  3. Local privilege escalation – and why it’s so easy for threat actors to carry out
  4. Lateral movement – and corresponding detection methods
  5. Domain privilege escalation – the top four tactics typically favored by attackers
  6. Data exfiltration – threat actors exfiltrate data prior to encryption
  7. Searching for your backups – and the lengths malicious actors will go to in order to find them
  8. Deployment of the ransomware – and the most common tools attackers use

View the webcast, or read the free white paper for more details on each attack stage, and to understand opportunities to disrupt a ransomware attack as it occurs in your environment. You can also stay up to date on ransomware attack protection and prevention by visiting blackberry.com/ransomware.

BlackBerry Assistance

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.

David Steinberg-Zwirek

About David Steinberg-Zwirek

David Steinberg-Zwirek is an Editorial Intern at BlackBerry.