What ransomware is and how it works
Ransomware is malware that encrypts an organisation's data and demands a ransom for the decryption key. Modern campaigns use double extortion: they first exfiltrate the data, then encrypt, and threaten to publish it. It is not an instant event: the attacker stays in the network for days or weeks (initial access, lateral movement, exfiltration) before encryption. That window is where you stop it.
Not an event, a process
People picture ransomware as a lightning strike: one moment everything works, the next it is all encrypted. The reality is different: the attacker has been in the network for days or weeks before encryption. Initial access, reconnaissance, lateral movement, exfiltration: encryption is the last act. And it is before that act that you win or lose.
Double (and triple) extortion
Modern gangs exfiltrate data before encrypting it: so, even with perfect backups, they can extort with the threat of publication. Some add DDoS attacks or direct pressure on customers and partners. That is why backup, while essential, is not enough on its own.
Defending: stop it before encryption
Effective defence acts in the pre-encryption window: continuous detection & response to catch lateral movement and exfiltration, protected identities, isolated backups and a ready incident response plan. If the attack is already under way, the emergency guide is what counts: what to do after a ransomware attack.
The phases of a ransomware attack
| Phase | What happens | Where you act |
|---|---|---|
| Initial access | Phishing, exposed VPN/RDP, edge exploits | Early detection, ITDR |
| Lateral movement | Escalation, reconnaissance, persistence | MDR: stop it here |
| Exfiltration | Data copied out | Containment, C2 blocking |
| Encryption | Ransomware executed, ransom | Too late: recovery |
In Operation Storming Tide the Fortgale team spotted the attacker in the pre-encryption phases (Matanbuchus 3.0 → Astarion → SystemBC) and prevented exfiltration and ransomware through containment.
Read the analysis →Frequently asked.
Should I pay the ransom?
Almost never. Paying does not guarantee recovery or the deletion of exfiltrated copies, it funds crime and may breach regulations. See the emergency guide ransomware attack: what to do.
How does ransomware get into a company?
The most common vectors: phishing and credential theft, exposed services (VPN, RDP), exploits of perimeter devices (firewalls, VPN gateways), and access sold by Initial Access Brokers.
What does double extortion change?
The attacker exfiltrates the data before encrypting it and threatens to publish it. Even with perfect backups, the disclosure risk remains: that is why it matters to stop the attack before exfiltration, not just to be able to restore.
How do you defend against ransomware?
Tested and isolated backups, identity and access hardening, continuous detection & response (MDR) to catch the attacker in the pre-encryption phases, and an incident response plan ready to go.
From theory to a real operation.
What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Fortgale ransomware protection.
Related resources: Ransomware attack: what to do (emergency) · What is MDR · Ransomware protection · Tracked ransomware groups (technical profiles)
A technical conversation, not a funnel.
Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.