Facebook Linkedin

How a ransomware attack works – from an email to a paralyzed business 

A ransomware attack doesn't start with encryption—it starts with a single click

It is worth noting that most people imagine a ransomware attack as a sudden, almost instantaneous attack. In this scenario, one day the systems simply stop working, and a ransom demand appears on computer screens.

However, it must be acknowledged that, in reality, an attack is a complex process that lasts for days, and sometimes even weeks. In practice, it consists of a series of stealthy steps that a SOC team can effectively detect—provided the organization has 24/7 security monitoring in place.

In this article, we will therefore walk you through a complete, realistic incident scenario: from an innocent email to the moment when hackers bring the company to a complete standstill. Importantly, our account of events is based on the in-depth analyses our experts conduct as part of their daily work dealing with real-world threats.

Stage 1: Phishing email – the first click (Day 0)

Monday morning at 9:14 AM. This is exactly when an accounting department employee receives a message with alarming content: “Urgent: missing invoice – please verify by the end of the day”. It is worth noting that the sender inspires complete trust, as they use the name of a well-known supplier, an official logo, and impeccable Polish.

As a consequence, the woman opens the attached Excel file without concern; however, after a moment, she sees a familiar message: “To view full content, enable macros”. This happens because hackers precisely exploit the habits of employees, for whom such a system request is a daily occurrence. Consequently, the employee clicks the button without hesitation, unknowingly executing a script and opening the digital doors to the entire organization for the attackers.

What is happening in the background? 
  • When the macro is run, it launches a PowerShell script, 
  • The script downloads a small program from the internet—a so-called loader, 
  • The loader establishes a connection with the cybercriminals' command-and-control (C2) server. 

The computer is working normally. There are no signs of an infection. 

What would the SOC detect? 
  • launching PowerShell from Excel (highly suspicious), 
  • a link to a domain with a low reputation, 
  • downloading and opening an unknown file. 

Stage 2: Covert reconnaissance and preparation for the attack (Days 1–3)

Professional attackers never encrypt data immediately after compromising a system. Instead, they first conduct a thorough reconnaissance of the environment to maximize their ransom proceeds. In practice, the installed loader immediately begins collecting key information, such as:

  • pełną nazwę komputera, domeny oraz zalogowanego użytkownika,
  • a list of active processes and services,
  • the detailed structure of the internal network,
  • as well as the specifications of the business applications used.

In the next step, the script performs an aggressive network scan, which allows attackers to check:

  • which devices remain available in the infrastructure,
  • which servers play a critical role in business continuity,
  • where exactly the most valuable resources and backups are located.

It is important to recognize that this stage is a critical moment for security teams. Therefore, a proper post-breach analysis conducted by the SOC can detect this unusual activity before hackers choose their final attack vector and cripple the systems.

Why doesn't IT see this? 

Ruch generowany przez malware jest rozproszony i udaje normalną komunikację sieciową. 
Rzadko podnosi alarmy w antywirusie. 

What would the SOC detect? 
  • custom queries to the domain controller, 
  • port scanning, 
  • repeated attempts to enumerate the network 

Stage 3: Privilege Escalation and Lateral Movement (Days 4–7)

First and foremost, it must be understood that at this stage, attackers are desperately searching for higher privileges – their primary targets become administrator accounts and service accounts. Unfortunately, in many organizations, they find them surprisingly easily.

In practice, hackers use proven methods for this, such as:

  • stealing passwords stored locally in the browser's cache or on the system,
  • using advanced tools to hijack session tokens,
  • a direct attack on poorly secured passwords for RDP services,
  • notify a thorough analysis of configuration files, which often contain login credentials in plain text.

The moment criminals gain administrator privileges, they begin to move laterally across the entire network. This means that they methodically log in to file servers, examine network shares in search of sensitive data, attempt to breach databases, and install backdoors on further devices. Consequently, they establish permanent access to the infrastructure, which allows them to return to the systems even after the computers have been restarted.

 

Why doesn't IT notice this? 

From the systems' perspective, this appears to be legitimate administrator activity. 
The correct login credentials are being used. 

What would the SOC detect? 
  • logins from an unusual device or at an unusual time, 
  • attempts to access resources that the admin has never accessed before, 
  • suspicious use of tools such as PsExec or RDP to access multiple machines at once. 

Stage 4: Data exfiltration – preparation for double extortion (Days 8–10)

Before encrypting anything, the attackers steal the data.  Dlaczego? 

Because modern ransomware operates on a double extortion model: 

  1. Demanding a ransom for decrypting data, 
  1. Żądanie okupu za niewypuszczenie skradzionych danych do internetu. 

Attackers download: 

  • customer data, 
  • invoices and financial documents, 
  • contracts, 
  • HR data, 
  • email databases and CRM systems. 

They transfer them slowly, in small batches, through port 443, to make it look like normal traffic www. 

Why does IT often overlook this? 

Traffic from https → doesn't look suspicious. 
Sending small files → does not trigger alerts. 

What would the SOC detect? 
  • an abnormality in the amplitude and rhythm of the outgoing movement, 
  • sending data to unknown locations, 
  • compressing large files using processes that have never done so before. 

Step 5: Encryption – The Final Touch (Day 11)

The attackers choose the worst possible moment:  Saturday, 3:00 AM.

At that time: 

  • people are sleeping, 
  • The help desk isn't working, 
  • Hardly anyone monitors the systems. 

They launch ransomware on all authorized devices: 

  • files are encrypted en masse, 
  • servers are going down one after another, 
  • backups are deleted or overwritten, 
  • A ransom demand appears on every screen.

     

Why is it only now coming to light that something is wrong? 

Because that’s the first moment when the attack becomes public. 
The entire earlier phase was silent, hidden, and did not produce any visible symptoms. 

What would the SOC detect at this stage? 
  • batch file modification, 
  • launching encryption processes, 
  • system calls typical of ransomware, 
  • an attempt to disable security services. 

Step 6: In the morning, the company wakes up paralyzed

Employees log in on Monday morning. 

The ERP system isn't working. 
The accounting system isn't working. 
The databases aren't working. 
The files are encrypted. 

A message appears on the devices' screens: “Your files have been encrypted. Pay 50 BTC within 72 hours.” 

The board has a few hours to make a decision: 

  • pay a ransom? 
  • Should we hire incident response firms? 
  • Report to the UODO (GDPR – 72 hours)? 
  • Keep customers and partners informed? 

Costs are rising by the minute: 

  • operational downtime, 
  • loss of revenue, 
  • reputation, 
  • regulatory penalties, 
  • reconstruction costs.

Where in this SOC chain could the attack have been stopped? 

Actually… at every stage. 

The SOC would detect signals: 
  • suspicious PowerShell script triggered by Excel (Day 0), 
  • network scanning (Days 1–3), 
  • unusual admin logins (Days 4–7), 
  • data transfer to external addresses (Days 8–10), 
  • Bulk file modification (Day 11). 

In practice, this means that a ransomware attack can be stopped: 

  • after a few minutes, 
  • after a few hours, 
  • or after a few days at the latest. 

Without a SOC, an organization only finds out when the damage is already irreversible.

Summary: ransomware is a process — and a process can be interrupted

First and foremost, it must be understood that ransomware is not a sudden event, but a sequence of actions stretched over time. This is precisely why each stage of the attack leaves digital signals that an efficient SOC team can effectively detect.

Of course, one unfortunate click does not have to end in the paralysis of the entire company. However, this is only true provided that qualified specialists monitor the network, logs, and anomalies 24/7. Consequently, a rapid response allows the threat to be nipped in the bud before hackers encrypt key data.

In this regard, it is worth asking yourself: would your company detect a ransomware attack at one of its early stages? If you want to find out, contact Knoxtera and schedule a free security consultation or test our effectiveness during a SOC Proof of Concept.