Ransomware
Ransomware is malware that encrypts a victim’s files or systems and demands a ransom for their restoration. It is one of the most common and costly cyber threats facing businesses.
Ransomware combines two components: an encryption tool used for extortion and a command-and-control server for key management. Once encryption is complete, a ransom demand appears—usually in cryptocurrency.
Current Threat Landscape
According to the BSI Situation Report 2024, ransomware is the most critical threat to businesses and government agencies in Germany. The average ransom demand in 2024 was $2.73 million (Coveware). Total damages, including downtime, data recovery, and reputational damage, are 5–10 times higher.
How a Modern Ransomware Attack Unfolds
Ransomware appears as a sudden event—in reality, the attacker has spent weeks or months in the network:
Phase 1: Initial Access (Days 1–7) - Phishing, VPN exploit, credential stuffing
Phase 2: Persistence (Days 7–14) - Scheduled Tasks, WMI, Registry Autoruns
Phase 3: Privilege Escalation (Days 14–21) - Kerberoasting, Pass-the-Hash (Mimikatz)
Phase 4: Lateral Movement (Days 21–40) - PsExec, WMI Remote, SMB
Phase 5: Exfiltration (Days 40–60) - Stealing data for double extortion
Phase 6: Impact (Ransomware) (Hours) - Deployed simultaneously to all systemsDouble and Triple Extortion
Modern ransomware attacks follow multi-stage extortion models:
- Single Extortion: Encryption only
- Double Extortion: Encryption + data theft with a threat of publication (leak site on the dark web)
- Triple Extortion: + DDoS attack on the company website, + contacting customers/partners
Technical Background: Encryption
Modern encryption scheme (LockBit-style):
- RSA-4096 master key pair: public key embedded in ransomware, private key held by the attacker
- AES-256 per file: fast file encryption
- AES key RSA-encrypted: decryption is computationally impossible without the private RSA key
Before encryption, ransomware routinely deletes shadow copies (vssadmin delete shadows), backup catalogs, and disables Windows Recovery—therefore, early detection of these commands is critical.
Detection Indicators (Windows Event IDs)
| Event ID | Meaning | Relevance |
|---|---|---|
| 4625 + 4624 | Many failed logins, followed by success | Credential stuffing |
| 4698 | Scheduled Task created | Persistence |
| 4104 | PowerShell EncodedCommand | Suspicious |
| 4769 + RC4 | Kerberos TGS requests | Kerberoasting |
| 7045 | New service PSEXESVC | PsExec lateral movement |
Backup as the Most Important Countermeasure
The 3-2-1-1-0 Backup Rule (Ransomware-Resistant):
- 3 copies of the data
- 2 different media
- 1 copy offsite
- 1 offline/air-gapped (Ransomware cannot reach it)
- 0 errors during restore tests
Critical: Backups must be regularly tested for recoverability. The backup system must be located on a separate network—attackers specifically target backup systems.
Protective Measures
- MFA on VPN/RDP: Credential stuffing is useless
- EDR on all endpoints: Detects Kerberoasting, LSASS access, lateral movement
- Network segmentation: Limits propagation
- Immutable backups: Recovery despite an attack
- SIEM alerts:
vssadmin delete shadowsmust immediately trigger a P1 alert
Detailed technical analysis: How does ransomware work technically?
Further information: Wiki article on ransomware
