Skip to main content
Man working at a computer. SMB ransomware attack anatomy.

The goal of a ransomware attack is to encrypt data on a victim’s network and make the network inaccessible until the victim pays a ransom. Once a network is locked down by ransomware, it becomes easy for the hackers to extort a victim multiple times. The attackers steal the encrypted data, which can lead to what is called a double extortion attack, where the attackers demand more money in exchange for not leaking the data. Also, the data can be encrypted twice, meaning attackers can demand a second ransom for the same data. Ransomware attacks are an extreme threat to SMBs, so let’s walk through the steps of an attack, so you know how hackers will attack a business!

Ransomware Coordination

Ransomware attacks begin with a planning phase, where the attackers either research a specific victim they intend to target or craft wide-reaching attack strategies, such as phishing campaigns or malvertising attacks. Wide-net attacks can begin from email lists bought off the dark web or the infection of popular sites with ransomware, but targeted attacks on a specific business will be handcrafted to trap important decision makers or high value targets at the company. After an attack is successful, ransomware will search through files and run malicious code to establish a foothold in the network and disarm security solutions that could slowdown or stop the attack.

Increasing Foothold

If a network that gets attacked is large, malicious actors can spend weeks or months moving laterally through the network to infect as many company devices as possible. Command and control centers, data backups, and user accounts are searched for and infected to help ensure the ransomware cannot be easily remediated without paying the demanded price. For smaller networks, ransomware can infect every device on the network and establish a strong foothold that cannot be uprooted in just a matter of hours – depending on the strength of the company’s security posture. This process, for small and large networks, often goes entirely undetected until the threat group demands the ransom.

Exfiltration and Ransom Demands

After the ransomware has infected as much as the network as possible, the attack becomes immediately noticeable when the network becomes encrypted. Backups that could stop the attack are erased, local data is deleted or encrypted, and normal communication channels are locked down or linked to hacker-controlled resources. At this stage, the bad actors will exfiltrate the encrypted data to stage double or triple extortion attacks against the same business and the ransom demand is made. The victim is provided with instructions on how to pay the ransom – typically done with cryptocurrency – and then must make a decision on paying the ransom or remediating the threat, if possible.


Every industry is vulnerable to ransomware attacks, and because wide-net attacks are sent to a massive number of users, the ransomware itself will stage the entire attack without the hackers even knowing who you are. Knowing how a ransomware attack plays out is important to understanding which security solutions you need to defend your business against them, but every business has a unique IT environment that requires the right attention to properly protect. Robinett Consulting believes in providing custom solutions to every business we partner with, so if you need better protection against ransomware, our security specialists are ready to provide a complimentary consultation to see how we can help your security posture!

Robinett Consulting

Author Robinett Consulting

At Robinett Consulting, we are your consultative partner who strives to grow your business and have technology truly enabling you. We aim to understand you and your business so that you do what you do best unhindered by your IT.

More posts by Robinett Consulting