Ransomware isn’t just an inconvenience—it has evolved into a full-fledged underground industry, generating billions of dollars in illicit profits. Cybercriminals are no longer lone hackers working from a basement; they operate as structured businesses, offering ransomware-as-a-service (RaaS) and collaborating with affiliates to maximize their reach.

According to Microsoft, ransomware attacks have surged by 130.4% in the past year, affecting organizations of all sizes. This alarming trend highlights a harsh reality: if your business isn’t prepared, you are a target.

The good news? Understanding how ransomware works is the first step in stopping it. Let’s break down the different types of ransomware, how attacks unfold, and the best ways to protect your organization.

Two Major Types of Ransomware

1. Commodity Ransomware

Often referred to as “out-of-the-box” malware, commodity ransomware targets large volumes of victims—anyone from individuals to smaller businesses. Attackers rely on quick hits and lower payouts, using automated processes that lock down endpoints swiftly.

2. Human-Operated Ransomware

Here, skilled cybercriminals launch highly personalized, “hands-on-keyboard” attacks. They carefully choose high-value targets such as large organizations or government agencies, aiming for massive payouts. The process can take weeks or even months as attackers stealthily move through networks before unleashing the ransomware.

Ransomware-as-a-Service (RaaS)

Just like legitimate SaaS (Software-as-a-Service) businesses, cybercriminals now sell and lease ransomware tools to affiliates. This model allows even unskilled criminals to launch sophisticated attacks.

For example, the DarkSide ransomware group takes a 25% cut of ransoms under $500,000 but only 10% for ransoms exceeding $5,000,000, incentivizing criminals to go after high-value targets. This business model has fueled an explosion in ransomware incidents worldwide.

The Four Phases of a Ransomware Attack

Microsoft breaks down a ransomware incident into four key stages. Recognizing these phases is critical to building an effective defense:

1️⃣ Initial Compromise – Gaining Entry

Attackers breach an organization through:

• Phishing emails with malicious links or attachments

• Weak passwords and credential theft

• Exploiting unpatched vulnerabilities

🛡️ How to Defend Against It:

✔️ Keep software updated and proactively patch vulnerabilities

✔️ Enforce Multi-Factor Authentication (MFA) to prevent unauthorized logins

✔️ Adopt Zero Trust principles to verify users and devices

✔️ Train employees to recognize phishing attempts

2️⃣ Escalation – Strengthening Their Foothold

Once inside, attackers gain higher privileges and move laterally through your network. They may:

• Exploit admin accounts

• Deploy additional malware

• Disable security tools to avoid detection

🛡️ How to Defend Against It:

✔️ Implement privileged access management (PAM) to restrict admin privileges

✔️ Continuously monitor networks for suspicious activity

✔️ Automate security policies to isolate compromised resources

3️⃣ Exfiltration – Data Theft & Encryption

Cybercriminals steal sensitive data before locking down systems, threatening to leak it unless a ransom is paid.

🛡️ How to Defend Against It:

✔️ Back up data regularly and store copies in offline or cloud-based systems

✔️ Restrict broad read/write permissions for critical data

✔️ Use controlled folder access to prevent unauthorized encryption

4️⃣ Ransom – The Demand for Payment

Attackers demand payment—typically in untraceable cryptocurrency—and promise to restore access. However, paying the ransom does not guarantee data recovery.

📉 On average, victims who paid only recovered 65% of their data, with 29% getting back less than half.

🛡️ How to Defend Against It:

✔️ Maintain a disaster recovery plan to restore operations without relying on ransom payments

✔️ Fully remove backdoors and persistence mechanisms, or attackers may strike again

✔️ Never assume attackers will honor their promises—paying a ransom funds future attacks

How Microsoft Fights Ransomware

Be Proactive, Not Reactive

Ransomware isn’t just a cyber threat—it’s a serious business risk. A single attack can cause financial and reputational damage, but with proactive security and a solid recovery plan, you can stay protected.

How Plexhosted Helps:

✔️ Managed security solutions to prevent ransomware

✔️ Compliance & risk management to meet regulations

✔️ Microsoft 365 security optimizations for stronger protection

Partner with Plexhosted for expert security without the complexity. Let’s secure your business together!