Ransomware is often described in a very simplified way: “it encrypts your files and demands payment.”
That explanation is correct, but completely useless if you want to understand what actually happens on a technical level.
In this article, I’ll break down how modern ransomware really works in practice — based on real attack patterns used by families like LockBit, BlackCat, and others.
1. Initial access – how ransomware gets into the system
Before encryption even starts, attackers need access. This usually happens in one of these ways:
🔹 Phishing
A user opens:
- malicious email attachment (PDF, DOCX, ZIP)
- fake login page
- macro-enabled document
🔹 Exploiting vulnerabilities
Unpatched systems are often targeted:
- exposed RDP
- VPN vulnerabilities
- Windows zero-days
🔹 Stolen credentials
Attackers log in directly using:
- leaked passwords
- credential stuffing
- reused passwords
👉 Important: ransomware is rarely “random”. It’s usually a planned intrusion.
2. Payload execution – the ransomware is launched
Once inside, the attacker deploys the ransomware binary.
At this stage, it typically:
- checks system environment (VM detection, sandbox evasion)
- disables security tools (Defender, logs, recovery tools)
- escalates privileges (admin rights)
Some variants even sleep for hours or days to avoid detection.
3. Reconnaissance – mapping the system
Before encryption, ransomware “explores”:
- drives (C:, D:, network shares)
- connected devices
- file types (documents, databases, backups)
It builds a target list in memory.
👉 This is why network drives often get encrypted too.
4. Key generation – the most important part
Modern ransomware uses hybrid encryption:
Step 1: Fast symmetric encryption
Each file is encrypted with:
- AES (most common)
- ChaCha20 (in newer strains)
This is fast and used for bulk encryption.
Step 2: Public key encryption
The symmetric keys are then encrypted using:
- RSA
- ECC (Elliptic Curve Cryptography)
The attacker keeps the private key.
👉 This is why you cannot “reverse engineer” encryption easily.
5. File-by-file encryption process
Now the ransomware starts looping through files:
For each file:
- open file
- read content into memory
- encrypt with AES/ChaCha20
- overwrite original file or create new encrypted copy
- rename file (often adding extension like
.lockbit,.enc)
It usually targets:
- documents (.docx, .pdf)
- databases (.sql, .db)
- backups
- archives (.zip, .rar)
It often avoids system-critical files to keep Windows running.
6. Deleting recovery options
To make recovery harder, ransomware often:
- deletes shadow copies (
vssadmin delete shadows) - disables recovery tools
- removes backups if accessible
- clears logs
This is why system restore often stops working.
7. Ransom note delivery
After encryption:
- text file is dropped in every folder
- desktop wallpaper is changed
- instructions are shown
Usually includes:
- Tor payment site
- Bitcoin/Monero address
- countdown timer
8. Data exfiltration (modern ransomware trend)
Many modern attacks are double extortion:
Before encryption, attackers also:
- copy sensitive files
- steal databases
- exfiltrate credentials
Even if you restore backups, data can still be leaked.
9. Why recovery without key is nearly impossible
Because of hybrid encryption:
- AES/ChaCha20 = fast encryption per file
- RSA/ECC = protects AES keys
Without private key:
👉 brute force is computationally impossible
10. Real-world insight (important)
Ransomware is not “magic encryption malware”.
It is closer to:
a structured automated data destruction system combined with extortion logic
Modern groups operate like companies:
- affiliates
- infrastructure teams
- negotiation portals
- customer support (!)
Final thoughts
Understanding ransomware at this level shows something important:
👉 prevention is far easier than recovery
Because once encryption starts, the system is already compromised at multiple layers.
Top comments (0)