Ransomware lifecycle: every stage you need to know

Ransomware is malicious software that infects systems, locks sensitive data, and demands payment to restore functionality.

With an average ransom payment of $2.73 million, ransomware directly harms targeted companies. However, attackers can also steal data whether victims pay or not. When that happens, the reputational and regulatory consequences are devastating.

Ransomware is a rising threat. Attacks against US targets surged by 150% during the first five weeks of 2025 versus early 2024. Companies must take action and safeguard their networks and understanding the ransomware lifecycle is critical.

This article will introduce the ransomware lifecycle and how it works. Understanding how ransomware attacks progress is the first step in mitigation, so let's get started.

The average duration of a ransomware attack

The ransomware lifecycle describes the duration and stages of a ransomware incident. On average, ransomware attacks last 21 days. This duration runs from the identification of the threat to restoring system availability. It does not cover post-incident activity to ensure data security or pre-incident preparation.

The average duration above also does not include secondary attacks. For instance, a company might suffer an initial attack lasting one week. However, inadequate security controls mean the attacker returns repeatedly.

Even so, 24 days is a long time to lack system coverage. In that period, your website may be down. Customers cannot access services, while employees struggle to log into network resources. The result is huge financial costs for every day of ransomware infection.

Ransomware lifecycle breakdown

Attackers prepare meticulously, infiltrate strategically, and act ruthlessly to maximize profits.

The best way to visualize this process is as a "lifecycle" - a series of steps that follow each other naturally. The ransomware attack diagram below shows how this 7-stage lifecycle works.

1. Preparation: target selection and analysis

Ransomware targets are rarely random. Criminal collectives scope out companies with sufficient resources, sensitive data, and weak security measures. Before taking action, attackers filter targets by all three criteria and create a shortlist of potential victims.

This phase of the attack scans for security vulnerabilities. For example, threat actors will look for unpatched remote access software or previous phishing incidents involving company staff. This knowledge helps criminals choose the best vector for their ransomware attacks.

Criminals strategically assess the best internal targets for data extraction. For example, hackers gaining access to a health insurer would probably prefer to extract sensitive patient records. Employee data is less valuable.

Attackers also need to prepare the way for ransomware delivery. They research employees and executives at the target to build profiles of their connections, responsibilities, and online activity. This information feeds into social engineering attacks, allowing attackers to build trust.

2. Delivering the malware payload

The second stage in the ransomware attack lifecycle infects target networks and makes threat vectors operational. Cyber attackers use several methods to achieve initial access to target systems, including:

• Fake websites. Criminals lure victims to malicious versions of trusted websites and convince visitors to enter credentials or download infected files. This enables threat actors to compromise the network and deliver their payload.
• Social engineering and email phishing. Criminals research their victims and write persuasive emails disguised as a legitimate contact (for instance, a vendor, colleague, or bank). Victims believe the phisher's story and download attachments or provide credentials directly.
• Exploit kits. Attackers deliver ransomware attacks via code flaws in outdated software. They may use backdoors to access networks and spread malware below the radar.
• RDP attacks. Attackers use brute-force attacks against weakly secured Remote Desktop Protocol tools. They then distribute malware via a legitimate remote user account.
• Social media spam. Attackers target victims with attractive social media links (for instance, to videos or explainer articles). Targets click the link, which downloads and executes the ransomware agent.

All the attack methods above deliver malware onto the target network. Agents execute either automatically or when users click a malicious link or file. They may also disable network security tools to evade detection and establish a persistent presence.

After that, the agent connects to remote control systems, giving attackers the green light to proceed.

3. Controlling the ransomware agent

Ransomware agents communicate with command and control (C2) centers. C2 centers allow attackers to monitor network activity, update malware settings, fetch encryption keys, and deliver additional software if required.

Encrypted communication channels make it hard to break the chain and disable active agents. Criminals also protect C2 centers by switching IP addresses. Domain generation algorithms (DGAs) conceal the location and ownership of C2 modules, providing space to assess the network and organize the encryption process.

4. Exploration and lateral movement

The next step in ransomware attacks enables attackers to encrypt systems and exfiltrate data. Attackers use lateral movement to roam the compromised network, seeking confidential data stores and ways to establish control.

Attackers do not need to search manually. Advanced ransomware attacks use automated tools to probe networks and discover high-value assets.

This phase looks for additional vulnerabilities, allowing access to more websites or network locations. Criminals have a range of options:

• Pass-the-hash techniques extract credentials from compromised systems and apply them to other assets.
• Attackers use previously leaked or stolen credentials or extract credentials via keyloggers. Users rely on the same credentials for different services, making lateral movement much simpler.
• Misconfigured cloud environments often enable access to many assets, extending the scope of encryption processes.

Attackers also look for flaws in authorization tools like Active Directory to escalate their privilege levels and achieve greater control.

5. Data exfiltration and encryption

Criminals have now mapped internal assets, identified high-value data, disabled security controls, and hijacked administrative accounts. The next stage is data encryption. This is when most victims become aware of ransomware attacks, which is too late for effective prevention measures.

Criminals use strong encryption to lock down servers, operating systems, critical applications, and individual files. They then refuse to provide the decryption key until victims meet ransom demands.

Attackers adopt an encryption strategy to maximize disruption. Well-designed attacks leave no way to restore systems via fail-safe mechanisms and data backups. However, disruption is rarely the only tactic.

In many ransomware variants, attackers extract and encrypt sensitive data without detection. Threat actors store encrypted data on secure servers and threaten to leak or sell that data unless victims make additional payments.

6. Demanding the ransom

Extortion is the next part of the ransomware lifecycle. Ransomware attackers generally send a digital notification demanding payment in a chosen cryptocurrency.

Instructions inform victims about the nature of the attack and how to make payments. Distressingly, they also tend to include a countdown timer. When the timer expires, attackers may increase ransom demands, sell stolen data, or permanently refuse to unlock encrypted systems.

Ransomware attacks may involve two or three extortion steps. The first demand unlocks encrypted systems. The second demand returns encrypted data. A third demand requests payment to avoid denial-of-service (DoS) attacks.

Note: Law enforcement agencies rarely recommend paying ransoms. If companies continue to pay, ransomware attacks will continue to rise. However, companies must balance ethical concerns with protecting their data and systems. It's not an easy balance to strike.

7. Resolving the attack

Ransomware attacks do not end with payment. As noted earlier, successful cybercriminals may return with secondary attacks. Companies must respond to ransomware incidents by strengthening their security posture.

The recovery process starts immediately. Security teams must scan for persistent malware and eradicate any surviving agents. Officers should verify that ransomware attackers have returned all stolen data and that systems function normally.

In the medium and long term, security teams must assess their tools for updating software, detecting malware, protecting credentials, and preventing lateral movement via network segmentation.

How to defend against a ransomware attack

A proactive security approach is the best way to neutralize ransomware attackers before they can encrypt corporate data. Here are some best practices to defend in depth against ransomware attacks:

Create a streamlined incident response plan

Security teams need a playbook for quarantining ransomware agents, protecting data, and resolving attacks. Teams must know what assets are affected, who they are dealing with, and how to inform key stakeholders. Workshopping different scenarios and ransomware variants is advisable.

Prioritize patch management

Unpatched systems represent open doors for initial access and lateral movement. Use automated tools to deliver updates as soon as they become available.

Scan incoming files and documents

Use download protection tools to guard against infected attachments or malicious downloads. Block any files from the network without scanning them first.

Monitor user behavior

Threat actors organize extensive reconnaissance and network activity before encrypting systems. User Entity Behavior Analytics (UEBA) tools let you compare user activity with normal baselines and detect suspicious transfers or access requests.

Segment network assets

Preventing lateral movement helps block ransomware escalation. Use network segmentation to limit access to sensitive resources and deny access without multiple authentication factors.

Regularly back up sensitive data

Backing up data limits the damage from ransomware incidents, enabling rapid system restoration. Store backups in a secure off-site location.

Detect your data on the Dark Web

When employee or customer credentials appear on Dark Web marketplaces, ransomware attacks could be on the horizon. Use Dark Web monitoring solutions like NordStellar to identify leaks and secure accounts before attacks occur.

The biggest real-life ransomware attacks

Ransomware attacks affect companies of all sizes in every conceivable economic sector. And it's far from a standard malware threat. Real-world examples show that ransomware can quickly spiral from a single malware infection to an existential crisis.

Wannacry hits the UK health sector

In 2017, the UK's National Health Service suffered a crippling series of attacks using the WannaCry ransomware agent. Attackers managed to take hospital servers offline, leading to closures and missed operations. Total costs amounted to £92 million (around $120 million).

In this case, threat actors leveraged flaws in the Windows Server Message Block (SMB) protocol. This flaw enabled remote code execution on infected devices with zero user interaction. As a result, the agent spread quickly and overwhelmed NHS security teams.

Colonial Pipeline: Energy at risk

In 2021, energy firm Colonial Pipeline reported a severe ransomware attack on its pipeline management systems. Staff at the energy distributor paid the $4.4 million ransom but suffered lengthy restoration delays due to problems with the decryption key provided by the threat actors.

The attack was organized by a group called DarkSide and coupled disruption with, stealing over 100 GB of company data. It exploited credentials from a disused VPN tool without multi-factor authentication. Together, those two security mistakes opened up Colonial's entire network.

The Dark Angels mystery

Our final example is a bit shadier and much larger. We still don't know for sure which company was affected. However, reports suggest that in 2024, pharma giant Cencora transferred $75 million to a criminal group called Dark Angels, almost doubling the previous record for a (disclosed) ransom payment.

The Russian collective targets Windows and VMware ESXi network infrastructure and organizes rapid data exfiltration. Operating alone, Dark Angels follows a "big game hunting" approach, focusing on Fortune 500 companies and working as quickly as possible.

Emerging trends in ransomware evolution

Ransomware evolves constantly, and security measures need to keep pace. For example, recent years have seen the emergence of ransomware-as-a-service (RaaS), enabling attacks by less-skilled groups. Bug bounties operate via Dark Web services, helping to fine-tune ransomware toolkits.

Criminals now use AI to research targets and design exfiltration strategies. Double extortion (systems and data) has mutated into triple extortion incidents, adding the risk of DDoS threats.

Attackers have learned to "live off the land," squatting under the cover of legitimate network software. High-speed encryption makes it easier to exfiltrate huge data stores, while blockchain innovations complicate efforts to trace and recover payments.

That's the tip of the iceberg. Deepfakes and AI video are set to revolutionize phishing techniques; targeted attacks on IoT devices will challenge industrial businesses, while AI-powered polymorphic agents could adjust in real time to evade security measures.

Breaking the ransomware lifecycle with NordStellar

Legacy systems can't stand up to emerging attack variants. Defeating ransomware requires cutting-edge threat intelligence and network security tools that stay ahead of criminal techniques.

NordStellar can help you meet tomorrow's ransomware attacks and safeguard every asset. Dark Web Monitoring picks up leaked credentials and chatter about upcoming attacks. Intelligence lets you implement defensive measures, while real-time alerts detect attacks and provide essential context.

Attack Surface Management (ASM) solution scans every exposed endpoint that ransomware attackers could exploit. Cybersquatting detection flags impersonators and fake sites that could deliver ransomware downloads. Meanwhile, smooth integration with NordLayer's network segmentation tools makes it easier to limit lateral movement.