Resources · Guide · IR/Ransomware · 1 min read

What ransomware is and how it works

In short

Ransomware is malware that encrypts an organisation's data and demands a ransom for the decryption key. Modern campaigns use double extortion: they first exfiltrate the data, then encrypt, and threaten to publish it. It is not an instant event: the attacker stays in the network for days or weeks (initial access, lateral movement, exfiltration) before encryption. That window is where you stop it.

Not an event, a process

People picture ransomware as a lightning strike: one moment everything works, the next it is all encrypted. The reality is different: the attacker has been in the network for days or weeks before encryption. Initial access, reconnaissance, lateral movement, exfiltration: encryption is the last act. And it is before that act that you win or lose.

Double (and triple) extortion

Modern gangs exfiltrate data before encrypting it: so, even with perfect backups, they can extort with the threat of publication. Some add DDoS attacks or direct pressure on customers and partners. That is why backup, while essential, is not enough on its own.

Defending: stop it before encryption

Effective defence acts in the pre-encryption window: continuous detection & response to catch lateral movement and exfiltration, protected identities, isolated backups and a ready incident response plan. If the attack is already under way, the emergency guide is what counts: what to do after a ransomware attack.

Comparison

The phases of a ransomware attack

PhaseWhat happensWhere you act
Initial accessPhishing, exposed VPN/RDP, edge exploitsEarly detection, ITDR
Lateral movementEscalation, reconnaissance, persistenceMDR: stop it here
ExfiltrationData copied outContainment, C2 blocking
EncryptionRansomware executed, ransomToo late: recovery
Field-observed proof · ransomware prevented

In Operation Storming Tide the Fortgale team spotted the attacker in the pre-encryption phases (Matanbuchus 3.0 → Astarion → SystemBC) and prevented exfiltration and ransomware through containment.

Read the analysis →
FAQ

Frequently asked.

Should I pay the ransom?

Almost never. Paying does not guarantee recovery or the deletion of exfiltrated copies, it funds crime and may breach regulations. See the emergency guide ransomware attack: what to do.

How does ransomware get into a company?

The most common vectors: phishing and credential theft, exposed services (VPN, RDP), exploits of perimeter devices (firewalls, VPN gateways), and access sold by Initial Access Brokers.

What does double extortion change?

The attacker exfiltrates the data before encrypting it and threatens to publish it. Even with perfect backups, the disclosure risk remains: that is why it matters to stop the attack before exfiltration, not just to be able to restore.

How do you defend against ransomware?

Tested and isolated backups, identity and access hardening, continuous detection & response (MDR) to catch the attacker in the pre-encryption phases, and an incident response plan ready to go.

How Fortgale delivers it

From theory to a real operation.

What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Fortgale ransomware protection.

Related resources: Ransomware attack: what to do (emergency) · What is MDR · Ransomware protection · Tracked ransomware groups (technical profiles)

Want to go deeper with an analyst?

A technical conversation, not a funnel.

Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.

Response time: < 1 business day.