As with any malicious software, ransomware can enter your network a number of different ways, such as through a spam email attachment, using stolen credentials, via an unsecured internet link, through a compromised website or even hidden as part of a downloadable software bundle. Some forms of ransomware use built-in social engineering tools to try to trick you into granting them administrative access, while other attempt to circumvent permissions entirely by exploiting existing security weaknesses.
Once inside your network, the software deploys, executing a series of commands behind the scenes. This often involves subverting critical administrative accounts that control systems, such as backup, active directory (AD) domain name system (DNS) and storage admin consoles. The malware then attacks the backup administration console, allowing the attacker to turn off or modify backup jobs, change retention policies and more easily locate sensitive data that might be worth taking hostage.
Most commonly at this point, the malware begins encrypting some or all of your files. Once those files have been secured against access, the malware reveals itself by informing you that your data is being held for ransom, and what demands will need to be met for you to regain access. In other kinds of malware (often called leakware), the attacker may threaten to publicly expose certain kinds of sensitive data if the ransom is not paid. In many cases, the data isn’t only encrypted; it’s also copied and stolen to be used in future criminal activities.