The Anatomy of a Ransomware Attack

We’ve all seen the headlines:

Major hospital system taken offline by ransomware attacks
Pipeline operations halted due to massive ransomware attack

The folks working at organizations impacted by ransomware quickly learn what ransomware looks like and exactly how fast their organization can be crippled by such attacks. Our team thought it’d be better to flip the script for a change - and help our readers, customers, and partners understand the anatomy of a ransomware attack, identify signs of an attack in progress, and what to do next.

Ransomware attacks are increasingly commonplace - you hear about organizations both large and small falling victim to these attacks. And while you hear about the impacts of the attacks on the news (yes, including the human costs of ransomware) the team at RipRap Security wanted to share what one of these attacks actually looks like from a victim’s perspective. In this article, RipRap Security’s CTO, Garrett Miller, deliberately infected a computer with ransomware so you can get a view on what a ransomware attack looks like. Let’s dive in.


In the screenshot below, you can see a Windows desktop with plenty of interesting files on the desktop. It appears that while our would-be victim keeps their desktop fairly tidy, they are also keeping some very sensitive information on their computer - everything from passwords, to credit card numbers, to sensitive employee data.

Ransomware attacks, like many other types of malware attacks, start with an attacker searching for would-be victims. The attackers use a wide variety of tools to search for opportunities to introduce ransomware into an organization’s IT environment. Attackers are sneaky, clever, and sometimes downright diabolical and seek out opportunities that include (but are certainly not limited to):

  • Attempting to use factory-default credentials against devices in an effort to login and infect the device

  • Exploiting vulnerabilities on systems that do not have the latest software updates

  • Conducting phishing attacks designed to trick a user into clicking a malicious link or opening a malicious attachment

  • Submitting a job application that installs malware on a recruiter’s computer

  • Giving away free USB storage devices infected with malware

In our example, our unlucky employee received an invoice via from a supplier. As you can see in the screenshot below, the employee downloaded this file to their desktop to check out the invoice and get it processed. Unfortunately, this staff member failed to notice the full file name of the file: “ImportantInvoice.pdf.exe”. Even though this file has the term “PDF” in it, the file is actually an executable, or program, that runs when the employee double clicks on the file. Attackers often disguise their malware as legitimate attachments.

After double-clicking on the so-called invoice, nothing seems to happen. Then suddenly, the desktop background changes from a boring, but pleasant blue background to a more sinister background.

Uh oh. This can’t be good. This is the point where our not-to-be-envied employee starts getting nervous. The employee searches for the “README” file mentioned on the desktop background and discovers it. After double-clicking, the employee sees this overwhelming message:

This file is the ransom letter. We’re deliberately not showing the Bitcoin address and the attacker’s contact information in the screenshot above but at this stage the ransom note asks our hapless employee to email a set of addresses to get more information on what it’ll cost to pay the ransom to unlock the sensitive files.

At this point our employee is sweating bullets and trying to figure out what to do next. They try to open one of the files on their desktop that should contain employee social security numbers but this is what they see instead:

The employee’s organization would be extremely lucky if only one employee’s computer became infected with ransomware. However, most ransomware attempts to infect other computers in the employee’s organization. The attacker’s goal is to maximize the spread of ransomware at the impact organization in an effort to extract a greater ransom from the organization. With many systems encrypted by the ransomware, critical business data is inaccessible and the organization is dead in the water with no ability to perform their work.

The Alternate (Security) Universe

Now that you’ve seen what ransomware looks like up-close, let’s talk about what our employee and their organization could have done differently.

Security Training & Awareness

If our unlucky employee had ongoing access to cyber security training, they might have noticed that the file name of the ransomware wasn’t actually a PDF document but rather was an executable. And if the employee had undergone phishing simulation, they would have had the practice and exposure necessary to validate that the purported invoice wasn’t from a legitimate vendor.

Data Backups

If the organization’s data was stored in a central location with proper data protection policies, the attacker may not have been able to access the sensitive data stored on the employee’s desktop. And if the organization had their critical data backed up to a third party location, the organization could have avoided paying the ransom to regain access to their data.

Security Architecture

An organization with a well-designed and implemented security architecture would have the tools necessary to do things like:

  • Stop the employee from downloading the malicious attachment

  • Prevent the ransomware from being run, even if the employee double-clicked on the file

  • Alert security experts to ransomware being run on a computer and the fact that it is spreading to other computers

  • Enable security experts to contain the spread of the ransomware to limit the impact of the attack

  • Empower the organization to understand the extent of the attack to enable a proper incident response and management process

  • Uncover the method used by the attackers to deploy ransomware

  • Allow the organization to get back to business as usual without having to pay the ransom

Sweating the Possibility of a Ransomware Attack?

Don’t! Our team of subject matter experts have helped many organizations evaluate their current cyber security capabilities and recommend improvements that protect against ransomware. Get in touch with us here for a free consultation on how we can support your efforts to protect against ransomware.