Understanding how ransomware works is your first line of defense against these devastating attacks. Join Curtis Preston and Dr. Mike Saylor as they break down the five objectives attackers follow in nearly every ransomware campaign.

In this episode, we examine how ransomware works from the attacker's perspective. We start with initial access - how do these bad guys even get into your network? Dr. Saylor explains the role of initial access brokers (IABs), criminals who specialize in harvesting and selling credentials to ransomware operators. Email phishing remains the most cost-effective and statistically reliable attack vector, but purchased credentials and vulnerability exploitation are also common entry points.

Once inside, attackers don't immediately start encrypting. They move laterally through your network, conducting reconnaissance to map your environment and locate your most valuable data. This is when they're looking for your backups, your domain controllers, and your crown jewels. The "phone home" phase establishes command and control communications, allowing attackers to coordinate activities and receive instructions from their operators.

Data exfiltration has become a critical component of how ransomware works in 2026. Double extortion means attackers steal your data before encrypting it, threatening to publish sensitive information even if you can restore from backups. This fundamentally changes the ransomware equation and makes incident response more complex.

The encryption phase is resource-intensive and often detectable if you're paying attention. Mike explains how your computer might slow down, lag, or behave strangely during active encryption. Modern ransomware is sophisticated enough to examine file headers rather than just extensions,
making it nearly impossible to hide valuable files by simply renaming them.
Finally, we cover ransom note delivery. Gone are the days of flashy desktop takeovers - today's ransomware drops text files in every folder it encrypts, making the message impossible to miss but also less "newbie" in appearance.

This episode is the first in an extensive series covering our new book "Learning Ransomware Response and Recovery" from O'Reilly. We're planning literally a hundred episodes exploring different aspects of ransomware response and recovery.

TIMESTAMPS:
00:00 Introduction and podcast overview
01:25 Welcome and guest introductions
06:10 Beginning the five objectives discussion
07:07 Objective 1: Initial access and IABs explained
15:05 Objective 2: Lateral movement and reconnaissance
20:53 Objective 3: Phoning home and command & control
24:45 Objective 4: Data exfiltration and double extortion
30:16 Discussing the five objectives framework
32:04 Regional patterns in ransomware attacks
33:52 Ransom note delivery methods
35:12 Can you hide files from ransomware? File headers explained
37:06 Is encryption detectable? Resource usage signs
38:30 Review of the five objectives and wrap-up

Subscribe to The Backup Wrap-up for weekly episodes on backup, recovery, and cybersecurity.

Book: "Learning Ransomware Response and Recovery" by W. Curtis Preston and Dr. Mike Saylor

#ransomware #cybersecurity #backup #dataprotection #infosec #ransomwareattack #cybersecurityawareness #backupandrecovery