A careless click on an email attachment, an unpatched VPN gateway or a stolen password: often that is all it takes to set a ransomware attack in motion. A few days later, central systems stand still and a ransom demand appears on the screens. The German Federal Office for Information Security (BSI) has counted ransomware among the biggest cyber threats to companies and public authorities in Germany for years.
For IT decision-makers, the topic is relevant because it can hit any organization. Attackers rarely look for prominent names, they look for reachable weaknesses. Anyone who understands how an attack proceeds can plan and budget prevention, containment and recovery in a targeted way.
What is ransomware?
Ransomware is malicious software that encrypts data or complete systems and demands a ransom for decryption. The term derives from the English word ransom. After a successful attack, files, databases and applications are unusable, often including the backups reachable from the network. Windows and Linux systems are affected, as are virtualized environments. The perpetrators leave behind an extortion message with payment instructions, usually in cryptocurrency.
Behind the attacks stand groups organized by division of labor. In the ransomware as a service model, developers provide their tools to criminal partners and take a share of the proceeds. This lowers the barrier to entry for perpetrators and noticeably increases the number of attacks. The professionalization includes negotiation portals, leak sites for stolen data and staggered deadlines that raise the pressure on victims.
Modern campaigns additionally rely on data theft. Before encryption, the attackers copy sensitive information and threaten to publish it. This double extortion works even when a company can restore its systems from backups.
How such an attack works
A ransomware incident is the end of a longer attack chain. Between initial access and encryption, days to weeks often pass, during which the perpetrators move through the network unnoticed. The chain typically runs in seven phases, and each of them offers a chance to detect and interrupt the attack:
- Initial access: The attackers gain entry via phishing emails, stolen credentials, unpatched vulnerabilities in VPN or remote desktop services, or via compromised service providers.
- Establishing a foothold: They install backdoors and create additional accounts to keep access even after restarts or password changes.
- Spreading: From the first system, the perpetrators move laterally through the network (lateral movement), take over further servers and search specifically for domain controllers, databases and backup systems.
- Privilege escalation: Using captured administrator accounts, the attackers secure far-reaching permissions with which they disable security software and undermine protective mechanisms.
- Data exfiltration: Before encryption starts, many groups exfiltrate contract, customer and personnel data as additional leverage.
- Encryption: On command, the ransomware encrypts as many systems as possible at once, preferably at night or on the weekend, when response times are long.
- Extortion: Finally comes the ransom demand. In double extortion, the perpetrators additionally threaten to publish the stolen data, in part also with reports to customers, the press or supervisory authorities.
Why the topic matters
Ransomware affects all industries and company sizes. The consequences reach far beyond IT:
- Business standstill: encrypted servers mean standstill in production, logistics and administration, in the worst case for weeks.
- High follow-up costs: alongside a possible ransom, forensics, rebuilding, contractual penalties and lost revenue weigh in.
- Legal obligations: when personal data leaks, reporting obligations under GDPR apply, and for many companies requirements from NIS-2 are added.
- Reputational damage: published customer data and long outages strain the trust of customers and business partners.
- Supply chain risk: an attack on a service provider or supplier can hit your own organization directly.
- No guarantee through payment: even after a paid ransom, decryption and deletion of the stolen data remain uncertain.
Typical scenarios
The following cases stand as examples of patterns that response teams see again and again during incidents:
- Phishing in a mid-sized company: an accounting employee opens a supposed job application. The malware it contains downloads further tools, and three weeks later the ERP system and file server are encrypted.
- Unpatched VPN gateway: a known vulnerability in the remote access solution stays open for weeks. Attackers take over an administrator account and encrypt several sites simultaneously in a single night.
- Flat network: an infected workstation reaches servers, production control and backups without obstruction, because internal transitions remain uncontrolled. The damage hits the entire company instead of a single segment.
- Compromised remote maintenance access: through the account of an external service provider, the perpetrators reach the network and use its far-reaching permissions to spread.
Ransomware and other malware: the difference
Viruses, worms, trojans and spyware mostly work in secret. They steal computing power, credentials or trade secrets and stay undetected as long as possible. Ransomware pursues the opposite goal: at the end of the attack, it makes itself known aggressively, because the perpetrators want to force a payment.
Important for context: ransomware often forms the last step of an infection that begins with other malware. An inconspicuous loader opens the door, then remote control tools follow, and only at the end comes the encryption. Anyone who detects early stages and limits the spread prevents the actual damage. Wipers should also be distinguished: these malicious programs destroy data permanently, the goal being sabotage instead of extortion. For your security strategy this means: detection and containment must take effect long before the final encryption phase.
Protection with KAEMI
No company can reliably prevent an initial access. What matters, therefore, is stopping the spread and limiting the damage. For this, KAEMI combines Zero Trust microsegmentation based on Illumio, which contains the spread of ransomware in the network, with SASE/SSE and ZTNA for secure access from any location. As a managed service provider, we take on the planning, operation and monitoring of these protective layers and support hardening, contingency planning and the review of existing access rights. If you want to test the resilience of your environment, you can reach our team via the contact page .