Skip to Content

Life Cycle of a Ransomware Attack

As today’s cybercriminals grow more sophisticated, they have more forms of ransomware and more vectors through which to render attacks on organisations than ever before. Even as companies develop more effective countermeasures, criminals adjust tactics and tooling to circumvent their efforts.

Although ransomware attacks can seem a bit mysterious, they usually follow the same basic structure. Once you understand how these attacks work, you can prepare a more comprehensive mitigation strategy that will boost your cyber resilience and hopefully negate or lessen the effects of an attack.

Here’s a closer look at the anatomy of a ransomware attack, including how the attacker gains access to and infects a system.

The Ultimate Guide to Ransomware Protection.

Download eBook

Infection and Distribution Vectors

Ransomware is a type of malware used to encrypt important computer files or sensitive data for ransom. Infections occur when ransomware malware is downloaded and installed on devices across an organisation’s network.

Ransomware can gain access to the target system in several ways. In 2023, technological advancements surged. Artificial intelligence and ransomware-as-a-service platforms have streamlined hackers' ability to execute ransomware attacks. Social engineering, state-sponsored, and insider attacks are on the rise, but poor system hygiene and phishing emails remain the most common attack vectors.

Phishing emails typically contain a link to a compromised website or an attachment with malware embedded in it. When the user clicks the link or attachment, the malware is downloaded and executed on the computer system.

Read up on five areas that create common vulnerabilities for ransomware.

Remote Desktop Protocol (RDP) is another common ransomware attack vector because it’s easy to use and can give an attacker high-level access if they’re able to access legitimate credentials. Threat actors can use a variety of techniques, including brute-force attacks, credential stuffing, or purchasing them on the dark web.

Compromised RDP access bought on the dark web can exploit an RDP connection simply by creating a script that scans for the default port. Hackers often have access to the same tools as security professionals and can scan the entire internet for an open port in less than a minute. 

Former hacker Hector “Sabu” Monsegur discusses the current cybersecurity landscape and challenges with Pure’s Andrew Miller in this on-demand webinar.


Once ransomware is installed on the target system, it lies in wait, silently collecting data and infecting as many systems as it can. It then steals and/or encrypts system files with the company’s most valuable and sensitive data. Ransomware can often destroy backups or steal data as part of the attack too so it’s important your backups are secure and immutable.

Now let’s take a closer look at a few types and variants of ransomware.

Crypto ransomware encrypts files, scrambling the contents and making them unreadable. A decryption key is necessary to restore the files to a readable format. Cybercriminals then issue ransom demands, promising to decrypt data or release the decryption key once demands are met.

Locker ransomware doesn’t encrypt files but completely locks the victim out of their system or device. Cybercriminals then demand a ransom to unlock the device. Generally speaking, it’s possible to recover from or avoid an attempted crypto attack if a good backup is available. However, a locker ransomware attack is harder and more expensive to recover from. Even with backed-up data, the device must be replaced entirely.

The basic objective of a ransomware attack is to extort money, but organisations can refuse to pay, especially when they have a good backup and recovery system in place. For this reason, attackers use double extortion, in which data is both encrypted and extracted. If the company refuses to pay, hackers threaten to leak the information online or sell it to the highest bidder.

And it gets worse. As devastating as double extortionate ransomware sounds, security experts are warning of a bigger threat: triple extortionate ransomware. Attackers demand money from affected third parties, in addition to extracting data and demanding ransom from the initial target.

Lastly, ransomware as a service (RaaS) uses the standard software-as-a-service (SaaS) model. It’s a subscription-based service that gives subscribers access to predeveloped ransomware tools to launch ransomware attacks. Subscribers are referred to as affiliates and earn a percentage of each ransom payment. 

Ransom Notes and Demands

Once ransomware has been successfully deployed to the target network, ransom demands are made. Hackers alert the victim that an attack has occurred and details the ransom required to reverse the attack. Ransom demands are displayed on computer screens or left in a note in the directory with the encrypted files.

Ransom requests typically contain details of the ransom amount, the required payment method, and the deadline for payment, as well as a promise to return access to the encrypted files once the ransom has been paid. If data exfiltration has occurred, the hacker may also agree not to expose additional data and show evidence that the data has been destroyed. Payment is usually requested in cryptocurrency (e.g., Bitcoin or Monero).

However, even if a ransom is paid, there’s no guarantee that the attacker will restore data or keep any promises. They may keep a copy of stolen data to use at a later date. Decryption keys may not fully work, leaving some data encrypted, or they may contain additional, undetected malware that the attacker can use in the future.

The Negotiation: To Pay or Not to Pay?

The decision to pay or not to pay a ransom demand can be complicated and depend on several factors:

  • How significant is the impact of the breach on business operations?
  • Will employees be out of work? How many, and for how long?
  • How big is the risk of data exposure?

For a closer look at the pros and cons of paying and not paying, read the blog post “Hit by Ransomware? What to Do Next.”

If your backup and recovery system hasn’t been affected by the ransomware, you may be able to avoid paying the ransom altogether (depending on the type of ransomware affecting you). But if paying the ransom is truly your only option, it’s a good idea to hire an experienced incident response team to assist with negotiations and facilitate payment. 

The Aftermath: Restore and Recovery

The average downtime after a ransomware attack is 24 days. If you pay the ransom, it might take several additional days to receive the decryption key and reverse the encryption.

Be aware that some ransomware variants identify and destroy backups on the compromised network. If backups have been destroyed or encrypted, the recovery process can become more complicated. But even if backups are usable, recovery could still be a lengthy process, depending on the type of backup and recovery system you have in place.

Whether you pay the ransom or attempt to recover data yourself, plan for the entire recovery process to take several days. Also plan for some degree of financial loss, whether it comes in the form of ransom payments, incident response costs, or lost revenue due to downtime.

See how the recovery process could vary between two hypothetical organisations with different recovery capabilities in the article “A Tale of Two Ransomware Attacks: Which Company Are You?

Be Ready to Respond to an Attack

A ransomware attack is a risk you can’t afford not to be prepared for. You may think you’re doing all the right things to stay secure, but relying on legacy backup architectures won’t protect you from modern attacks.

The best way to respond to an attack? Only modern solutions like Pure Storage® SafeMode™ Snapshots and FlashBlade//S™ with Rapid Restore, which delivers petabyte recovery performance at scale, can take your security strategy to the next level.

How Ready Are You for a Ransomware Attack?

Resources and Events

JUNE 3-5, 2024
Join Pure Storage at VeeamON 2024

At VeeamON 2024, we’ll show you why Pure Storage is the essential storage platform for Veeam data security and recovery. Visit us at Booth #P5.

Book a Meeting
JUNE 11-14, 2024
Join Pure Storage at Splunk .conf24

At Splunk .conf24, we’ll show you why Pure Storage is the superior storage platform for Splunk data management. Visit us at Booth #402.

Book a Meeting
Green Your Data Centre with Pure Storage
11 min.

Learn more about how sustainability is built into our philosophy and our products.

Watch the Video
Buyer's Guide
A Buyer's Guide to Modern Virtualisation
14 pages

Navigate VMware changes with a modern, scalable virtualisation strategy.

Get the Guide
Meet with an Expert

Let’s talk. Book a 1:1 meeting with one of our experts to discuss your specific needs.

Questions, Comments?

Have a question or comment about Pure products or certifications?  We’re here to help.

Schedule a Demo

Schedule a live demo and see for yourself how Pure can help transform your data into powerful outcomes. 

Call Sales: +44 8002088116


Pure Storage, Inc.

2555 Augustine Dr.

Santa Clara, CA 95054

800-379-7873 (general info)

Your Browser Is No Longer Supported!

Older browsers often represent security risks. In order to deliver the best possible experience when using our site, please update to any of these latest browsers.