Most people think ransomware works by locking files until you pay for the key. That is still true, but it is no longer the whole picture. Understanding how ransomware works today means accepting that encryption is now the least of your problems. The data theft, the destroyed backups, and the 72-minute exfiltration window are where the real damage happens.
How Ransomware Works: The Hybrid Encryption Model
To understand how ransomware works at the cryptographic level, start with a constraint: no single cipher can do everything. AES-256 or ChaCha20 encrypts the actual files. These are fast symmetric ciphers that can process gigabytes per second on a modern CPU. The problem: both parties need the same key, and the attacker cannot let the victim have it.
RSA-2048 or ECC solves that. The attacker generates an RSA key pair before the campaign. The public key gets embedded in the malware binary. When ransomware executes on a victim system, it generates a random AES session key, encrypts all the target files with that AES key, then wraps the AES key with the attacker’s RSA public key. Only the RSA private key, sitting on the attacker’s infrastructure, can unwrap it. The victim holds encrypted files and an encrypted key they cannot open.
WannaCry used this pattern with AES-128 and RSA-2048. Akira, currently one of the most active groups, uses ChaCha2008 instead and applies “intermittent encryption”: only encrypting alternating blocks within large files. This cuts encryption time, makes the attack harder to catch mid-flight, and still renders the file unusable. Play ransomware uses the same selective-encryption technique.
Getting In: The Three Entry Points
Encryption is impossible without access, and access comes from three sources that have stayed consistent for years. Phishing accounts for 37% of ransomware incidents, exploited vulnerabilities for 32%, and compromised credentials for 23%, per the 2025 Verizon DBIR.
Phishing usually delivers a dropper or a macro document that fetches a second-stage payload from a C2 server. The payload may be Cobalt Strike, a custom loader, or the ransomware binary itself. Exploited vulnerabilities tend to be internet-facing: VPN appliances, Exchange servers, Citrix gateways. Akira has made Cisco VPN exploitation a signature tactic. Initial-access brokers sell valid credentials to ransomware groups, cutting the time operators spend on reconnaissance.
The credentials market is worth noting because it shifts the economics of an attack. Rather than investing weeks in phishing campaigns, a ransomware affiliate can buy verified domain credentials for a few hundred dollars, log straight in through a VPN or RDP, and begin lateral movement within hours. That commoditisation is part of why attack timelines are compressing.
What Happens Before Encryption: The Part That Actually Matters
Between getting in and locking files, there is a phase that determines whether the attack succeeds. Attackers enumerate the network, escalate privileges, and spread. They use living-off-the-land tools: PsExec, WMI, Group Policy, SCCM. Getting domain admin access means they can push the binary to every host at once and run it simultaneously.
Then they exfiltrate data. This is the step that changed the economics of ransomware. If the victim has good backups and refuses to pay, the attacker still threatens to publish the stolen data on a leak site. That threat is often enough to force a negotiation. In 2025, 7,960 organisations appeared on double-extortion leak sites, a 53% year-on-year increase. Some groups now skip the encryption step entirely and leverage data theft alone.
Then they destroy recovery options. Shadow copies go first. The classic route is vssadmin.exe delete shadows /all /quiet. When defenders learned to alert on that, groups switched to WMI. LockBit later used COM object calls to delete VSS snapshots without touching either command-line tool, as CrowdStrike documented. The pattern is consistent: observe what defenders detect, then route around it.
The Numbers That Put This in Perspective
Ransomware accounted for 44% of all data breaches in 2025, per the Verizon DBIR. Median ransom demands sit around $1 million, but the total cost including recovery averages $5.08 million per incident. Small businesses (under 500 employees) fare worse: the average breach cost hits $3.31 million once downtime, legal exposure, and reputational damage are factored in. Projected global losses from ransomware run to $275 billion annually.
The time pressure has also compressed sharply. By 2025, the median gap between initial access and data exfiltration had fallen to 72 minutes, down from 285 minutes in 2024. Many organisations do not have detections that would fire within that window, let alone an incident response playbook fast enough to act on them.
Paying is not a reliable solution. About 64% of organisations refuse. Of those that pay, 69% are attacked again. The attacker knows you will pay, knows roughly what you can afford (from the financial data they exfiltrated), and knows your defences well enough to breach you again. More than 140 distinct ransomware brands stayed active through 2025, meaning a failed negotiation with one group does not remove the threat from others.
The Qilin and Akira Model: What Modern Groups Look Like
Qilin was the most active ransomware group in 2025 with over 1,000 victims and 13% of double-extortion leak-site listings per Check Point’s 2026 Cybersecurity Report. It runs a Rust-based binary with configurable encryption modes and operates a professional Tor-hosted negotiation portal complete with file publication timers.
Akira accounts for around 8% of leak-site victims and uses a Linux variant alongside its Windows payload, targeting virtualisation infrastructure directly. Both groups operate as ransomware-as-a-service, with affiliates handling initial access and operators taking a percentage of the ransom. That affiliate model means the technical sophistication of the initial intrusion varies, but the encryption and extortion backend is consistent.
Breaking the Chain
The most impactful controls address the stages before encryption. MFA on RDP, VPN, and email kills most credential-based access. Rapid patching of internet-facing products closes the vulnerability route. Network segmentation and least-privilege access limit lateral spread after initial access.
Privileged-access workstations for administrative tasks cut the risk that a compromised admin account becomes a fast path to domain controller access. Credential tiering, where admin accounts are separate from daily-use accounts, slows lateral movement even after initial access succeeds.
Immutable, air-gapped backups are the only reliable answer to the encryption stage. Local shadow copies are not enough because ransomware deletes them. Offline or cloud-isolated backups that the malware cannot reach remove the leverage the attacker depends on for payment. Test restoration regularly; a backup that has never been tested is not a backup in any operational sense.
Endpoint detection should fire on VSS deletion commands, mass file extension changes, and ransom note creation in multiple directories. Those behaviours are distinct enough to catch an in-progress campaign and trigger automated host isolation before the spread completes. Pair that with network-level lateral-movement detection: SMB enumeration, PsExec sessions to many hosts, and Group Policy modification from unusual accounts are all high-signal indicators.
The 72-minute exfiltration window means DLP and network monitoring need to be near real-time, not batch. Rclone to Mega, FTP to bulletproof hosting, and SFTP to attacker-controlled servers are common exfiltration channels. Large outbound transfers to unusual destinations at unusual times should trigger immediate investigation. Some groups use Microsoft OneDrive or Dropbox for exfiltration specifically because those domains are already on allowlists, so inspect volume and destination path, not just domain.
