DEV Community

How ransomware actually encrypts files (real-world explanation, not theory)

Ransomware is often described in a very simplified way: “it encrypts your files and demands payment.”
That explanation is correct, but completely useless if you want to understand what actually happens on a technical level.

In this article, I’ll break down how modern ransomware really works in practice — based on real attack patterns used by families like LockBit, BlackCat, and others.


1. Initial access – how ransomware gets into the system

Before encryption even starts, attackers need access. This usually happens in one of these ways:

🔹 Phishing

A user opens:

  • malicious email attachment (PDF, DOCX, ZIP)
  • fake login page
  • macro-enabled document

🔹 Exploiting vulnerabilities

Unpatched systems are often targeted:

  • exposed RDP
  • VPN vulnerabilities
  • Windows zero-days

🔹 Stolen credentials

Attackers log in directly using:

  • leaked passwords
  • credential stuffing
  • reused passwords

👉 Important: ransomware is rarely “random”. It’s usually a planned intrusion.


2. Payload execution – the ransomware is launched

Once inside, the attacker deploys the ransomware binary.

At this stage, it typically:

  • checks system environment (VM detection, sandbox evasion)
  • disables security tools (Defender, logs, recovery tools)
  • escalates privileges (admin rights)

Some variants even sleep for hours or days to avoid detection.


3. Reconnaissance – mapping the system

Before encryption, ransomware “explores”:

  • drives (C:, D:, network shares)
  • connected devices
  • file types (documents, databases, backups)

It builds a target list in memory.

👉 This is why network drives often get encrypted too.


4. Key generation – the most important part

Modern ransomware uses hybrid encryption:

Step 1: Fast symmetric encryption

Each file is encrypted with:

  • AES (most common)
  • ChaCha20 (in newer strains)

This is fast and used for bulk encryption.

Step 2: Public key encryption

The symmetric keys are then encrypted using:

  • RSA
  • ECC (Elliptic Curve Cryptography)

The attacker keeps the private key.

👉 This is why you cannot “reverse engineer” encryption easily.


5. File-by-file encryption process

Now the ransomware starts looping through files:

For each file:

  1. open file
  2. read content into memory
  3. encrypt with AES/ChaCha20
  4. overwrite original file or create new encrypted copy
  5. rename file (often adding extension like .lockbit, .enc)

It usually targets:

  • documents (.docx, .pdf)
  • databases (.sql, .db)
  • backups
  • archives (.zip, .rar)

It often avoids system-critical files to keep Windows running.


6. Deleting recovery options

To make recovery harder, ransomware often:

  • deletes shadow copies (vssadmin delete shadows)
  • disables recovery tools
  • removes backups if accessible
  • clears logs

This is why system restore often stops working.


7. Ransom note delivery

After encryption:

  • text file is dropped in every folder
  • desktop wallpaper is changed
  • instructions are shown

Usually includes:

  • Tor payment site
  • Bitcoin/Monero address
  • countdown timer

8. Data exfiltration (modern ransomware trend)

Many modern attacks are double extortion:

Before encryption, attackers also:

  • copy sensitive files
  • steal databases
  • exfiltrate credentials

Even if you restore backups, data can still be leaked.


9. Why recovery without key is nearly impossible

Because of hybrid encryption:

  • AES/ChaCha20 = fast encryption per file
  • RSA/ECC = protects AES keys

Without private key:
👉 brute force is computationally impossible


10. Real-world insight (important)

Ransomware is not “magic encryption malware”.

It is closer to:

a structured automated data destruction system combined with extortion logic

Modern groups operate like companies:

  • affiliates
  • infrastructure teams
  • negotiation portals
  • customer support (!)

Final thoughts

Understanding ransomware at this level shows something important:

👉 prevention is far easier than recovery

Because once encryption starts, the system is already compromised at multiple layers.

Top comments (0)