The 7 Stages of a Ransomware Attack - Zerto

The 7 Stages of a Ransomware Attack

June 24, 2021
Est. Reading Time: 6 minutes

What happens during a ransomware attack and why recovery is critical

A ransomware attack isn’t a single event. It is a series of events designed to disrupt and disable systems and to force organizations to pay large sums to recover data and get back online. By walking through 7 distinct stages of a ransomware attack, we can better understand the scope of the ransomware threat and why having the right recovery plan in place is critical.

Stages 1-3: The Calm Before the Storm

The first 3 stages of a ransomware attack can happen without you ever seeing it coming. Prevention is important to intercede where possible, but these attacks are designed to target systems where they are most vulnerable, often starting with users.

Stage 1 – Initiation of the Attack

This first stage is where the attacker sets up the ransomware to infiltrate your system. This can be done in several ways such as sending out phishing email attacks, setting up malicious websites, exploiting weaknesses in RDP connections, or attacking software vulnerabilities directly. The more users your organization has, the more vulnerable you are to a user targeted attack like phishing, malicious websites, or combinations of these. It only takes one user to make a mistake and execute the ransomware code, infiltrating the system.

Stage 2 – Instantiation

The second stage occurs once the ransomware has infiltrated your system. The malicious code will set up a communication line back to the attacker. The ransomware attacker may download additional malware using this communication line. At this point, the ransomware may lay hidden and dormant for days, weeks, or months before the attacker chooses to initiate the attack. The ransomware may try to move laterally across other systems in your organization to access as much data as possible. Many ransomware variants now also target backup systems to eliminate the chance for you as the victim to restore data.  You could be completely unaware that your systems are compromised, and the attacker can wait for the optimal time to unleash the attack.

Stage 3 – Activation

The third stage is when the attacker activates, or executes, the ransomware attack remotely. This can happen at any time the attacker chooses and catch your organization completely off guard. Once the attack has begun, it can be a race against time for your organization to even identify that the attack is occurring so that mitigation and recovery efforts may go into action.

Stages 4-7: The Storm

Once an attack has been activated, your system and data are in jeopardy. Without a plan in place to mitigate the attack and recover, downtime can stretch from hours to days or even weeks. The results are costly both to your financial bottom line and potentially to your brand reputation.

Stage 4 – Encryption

Ransomware holds data hostage through encryption (or in some cases a lock screen but encryption is most likely in a corporate attack.) Different ransomware variants use different encryption methods which range from encrypting the master boot record of a file system to encrypting individual files or entire virtual machines. Ransomware that also targets backup systems may delete or encrypt the backups to prevent recovery. Decrypting the data is highly unlikely, so your organization will have three choices: lose the data, recover from a replica or backup, or pay the ransom.

Stage 5 – Ransom Request

In this stage, you’re officially the victim and the ransomware has encrypted data. You’re presented with information on how to pay a ransom via a cryptocurrency transaction. Depending on what data the ransomware was able to encrypt, not only will data be inaccessible, but applications and entire systems can be disabled by the encryption. Operations can be severely impacted without access to data or services.

Stage 6 – Recovery or Ransom

This is the stage where many of the organizations we’ve seen in the news experienced impacts of significant downtime or disruption and many have chosen to pay a ransom as a result. Without an effective recovery method, even if the data can be recovered, at least partially, the cost of doing so may exceed the cost of paying the ransom. However, if your organization has an effective recovery plan in place, you may be able to recover the data quickly with minimal disruption and no need to pay a ransom, eliminating the negative publicity of downtime and paying an exorbitant ransom.

Stage 7 – Clean Up

Paying a ransom or even recovering data from a backup or replica does not necessarily eliminate the ransomware on the system. The malicious files and code may still be present and need to be removed. The attack itself will likely reveal the type of ransomware and make it easier to locate and purge from the system. If necessary, systems can be recovered in an isolated network to clean up the malware without risking re-activation. Once the malware has been cleaned up, the system can be returned to normal operation.

Recovery is Resilience

Preventing ransomware attacks before they happen should be part of every cyber security plan. Having said that, cyber-attacks and cyber-crimes by their nature are designed to bypass preventative measures and continue to evolve rapidly in order to do so. Organizations that take these threats seriously know that it is a matter of when, not If, they will be attacked. When that happens, only an effective recovery plan will allow your organization to avoid downtime, business disruption and taking a huge financial hit.

Business resilience or continuity has many components but within IT, the ability to recover data is the backbone of resilience. Backup and disaster recovery operations can be effective, whether restoring files locally or recovering applications from a warm DR site to help your organization get back on track. Modern ransomware attacks require modern data management and recovery solutions that protect data across multiple platforms including on-premises, cloud, tiered storage, , and SaaS applications.

Zerto 9 brings new and enhanced recovery capabilities including immutable backups to the ransomware fight. Zerto’s advanced, world-class continuous data protection and cloud data management gives organizations multiple recovery options to minimize downtime and data loss from operational loss, cyber-attacks, or any disaster.

Plan Ransomware Protection with the Recovery Experts

Ransomware attacks infiltrate systems despite the best efforts of prevention and preparation. Understanding how ransomware attacks impact systems is the first step in planning for both prevention and recovery. If you haven’t started planning for recovery, now is the time. If you have planned, now may be the time to review your plans to make sure they are keeping up with modern ransomware variants.

Effective preparation to ensure you can recover is the most critical line of defense against the disruption and attacks that make the news. Don’t allow your organization to become victimized by not having the right recovery plan when the inevitable attack happens.

TenCate, a multinational textile company based in the Netherlands, experienced two ransomware attacks, one before implementing Zerto and one after. By implementing Zerto and planning for ransomware recovery, Tencate reduced recovery time from weeks to minutes.

“Honestly, in the recent attack, I was kind of laughing during the recovery. I knew I had a way out with Zerto. I was confident, and my heart didn’t sink. I chose a recovery point a few minutes before the infection, tested for the VM being clean and connected the vNIC – back to work. I didn’t go home worried, stressed, or depressed.”  – Jayme Williams, Sr. Systems Engineer, TenCate

Recovery experts at Zerto can show you how immutability and multiple recovery options can bolster your recovery planning.

Watch the webinar from July 29th and see first-hand how Zerto brings immutability and automation for ransomware resilience, helps modernize your IT with cloud, enhances backup management and more.



Try Zerto with our Get of our Ransomware Jail offer on 10 virtual machines.






David Paquette
Product Marketing Manager

David Paquette is a Product Marketing Manager at Zerto. He has over 20 years of experience in disaster recovery, backup, and business continuity solutions. Prior to Zerto, David was a Product Marketing Manager at Scale Computing working with hyperconverged infrastructure, edge computing, and DRaaS solutions. Previous to Scale Computing, David worked for over 17 years at Double-Take Software/Vision Solutions in various roles from software testing, systems engineering, product marketing, and product management.