Skip to content

3 Steps Ransomware Hackers Know, and You Should Too

By David Rihak, 3 StepsStep 1: Phish. Trick an exec to click on a credible-looking phishing email to log in to one of their accounts.

Step 2: Infect. Use the execs email to send a malware attachment to an IT admin.

Step 3: Cash in. Let the malware encrypt all systems and wait for ransom from the victims.

Hackers use this common technique to infiltrate, exploit, and cash in on their victims. Some attacks are more sophisticated and targeted; others work by mere chance. What they all have in common is this: at one point or another, a user is tricked into giving away access, usually in the form of a password or another MFA-protected credential.

But how do these attacks actually work? Let's use the example above and break down each point to better understand the type of threat landscape we're dealing with and how we make our systems and data better protected.

Step 1: Phish

As the first line of attack, hackers typically deploy phishing campaigns en-masse to make sure they trick as many users as possible and increase the number of targets they have the potential to demand ransom from. The fundamental idea behind most phishing campaigns is that it doesn't matter who gets caught or what organization they're coming from. Their effectiveness is typically enforced by a variety of stress tactics, where the victim is made to believe they must take action or something bad will happen otherwise: ironically, often a threat of breach is used as a way to motivate users to, e.g., update their password or perhaps download a document with instructions on how to update an anti-virus on their device.

Phishing campaigns typically have one of two goals, which can be split up into sub-goals depending on the specific strategy the adversary decided to employ:

  1. Credential / account takeover: the victim receives a fraudulent phishing email from a seemingly legitimate sender. After clicking on the link, the victim is asked to log in using their regular credentials/MFA, unknowingly giving access to the hacker. To learn more about how hackers steal passwords or bypass MFA protection, read here:
  2. Device infection: similar to before, the victim receives a fraudulent email. In this case, a user is asked to either download an attachment or click on a link that downloads - in both cases, the said file is malware that infects the device with code to either:
    1. Steal passwords, cookies, certificates, or other data that can be used to access systems like email or file-sharing software like ShareFile or similar.
    2. Infect other devices/systems in the organizations by taking advantage of open channels between different systems, e.g., FTP, messaging apps, or known system vulnerabilities.

Step 2: Infect

The technical goal of ransom-based attacks is typically to get hold of and/or encrypt sensitive or business-critical information. To do that, hackers need to get hold of accounts with high privileges that can view and alter sensitive data. They can then either:

  • Download the data and threaten the individuals or organizations with data public dissemination with the "hope" of potentially devastating social or business consequences to the victim through loss of trust. This tactic is often used against law firms that hold sensitive client information, where a data breach is typically devastating for both individuals and the law firm's business.
  • Make the data inaccessible by encrypting all of it. This is virtually synonymous with data loss. In most cases, when hackers encrypt an organization's data, there is no way to retrieve it back without a unique decryption key that the hacker possesses. In this case, hackers typically aim to sell the decryption key to the victims who hope to retrieve their data.

Step 3: Cash-in

The threat of data leakage or loss is communicated as part of an offer by the adversary with a demand of payment typically around $1 million, where the victims, on average, paid $870.000 in value in Q3, 2023, typically paid in Bitcoin or other "hard-to-trace" store of value. The total cost of a breach for small and mid-size enterprises is typically around $3 million.*

To make things even worse, the transaction in no way guarantees the promised result. Once payment is made, adversaries often decide to leak the data anyway or not provide a functioning decryption key that the victim needs to access the data. In many cases, even when a decryption key is provided, it doesn't function properly to restore all of the data that has been encrypted by the attack.

In either case, the direct and indirect financial damage is typically in the millions, is always disruptive to an organization's ability to function normally, and to small to mid-size enterprises is often devastating.


Unfortunately, given the geopolitical landscape and the state-of-the-art capabilities of law enforcement where hackers are dealt the better cards, organizations and individuals have no choice but to invest in better protection capabilities to mitigate the most prominent and destructive hacking techniques, which ransomware is spearheading.

Here are a few things businesses should do to protect their data and systems better:

  1. Eliminate passwords and unreliable MFA: Implement phishing-resistant device-based access security. Prioritize email and mission-critical systems and accounts.
  2. Minimize access rights across your systems: based on the "Zero Trust" principle, avoid super admin accounts and opt for minimum privilege accounts. Ensure that any account in your organization can do the least damage possible in case of a breach.
  3. Know devices accessing company data: know what devices are accessing your systems and data, both cloud and on your own infrastructure. Improve device security where you can with threat detection and device management.
  4. Back up regularly. Test to make sure you can actually use backups if needed.

Here are a few that are important to look into if you're managing systems/applications of your own:

  1. Employ system monitoring and threat detection where possible.
  2. Patch to stay up-to-date. If you can't afford to keep a system up-to-date, look for ways to replace it!
  3. Conduct regular vulnerability scans and promptly address any identified vulnerabilities.

You can improve your organization's ability to defend itself from hackers in many other ways. It is, for example, good practice to have an incident response plan since no security is absolute: if s**t hits the fan, you want a step-by-step plan to execute in case of a breach. It's also better to train employees than not, even if it's not the most effective. So, where do we focus our resources?

Do a cost-benefit analysis to know where there's most room to effectively improve your organization's defenses with the least total effort and invest there. Cybersecurity is an investment, so treat it like one.

*Cost of a Data Breach Report 2023, IBM

About David:

David Rihak, Peig.ioAs the CEO and co-founder at Peig, David helps organizations get rid of passwords and up their cyber game with passwordless access security. Before this, David was a Digital Identity Director at ADUCID, where he co-designed citizen-centric identity solutions and helped develop federal and private partnerships.

As a frequent speaker at security conferences, David is a vivid promoter of human-centric security architectures that leave passwords in the dust.