Person using computer

Most businesses are likely familiar with ransomware—a type of malware that criminals use to extort organizations by encrypting data and holding it hostage until a digital ransom payment is made.

Ransomware is a considerable challenge for businesses: In 2021, ransomware attacks led to a reported $49.2 million in losses, according to the Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3).

Understanding the anatomy of a ransomware attack can help organizations better prepare against these threats. If you know how the ransomware lifecycle unfolds, it may be easier to mitigate risks before potential widespread disruption can occur.

5 stages of a ransomware attack

It can take as little as three days for ransomware to infiltrate and infect systems. This ransomware playbook flowchart outlines the different stages of an attack, so you know where to improve defenses and implement strong controls and policies.

  • 1. Delivery

    The network is compromised by a phishing email, exploit or worm. 

  • 2. Command and control

    Once inside, the ransomware establishes a connection with the attacker's command and control server to receive instructions.

  • 3. Credential access

    Still undetected, the malware continues to set the stage for its attack by stealing credentials and gaining access to more accounts across the network.

  • 4. Canvas

    The virus searches for files to encrypt—both on the local workstation and on any networks it has gained access to through lateral movement.

  • 5. Extortion

    Cybercriminals begin to exfiltrate and/or encrypt local and network files. The attacker demands payment to have them decrypted or released back to the business.


Ransomware trends to know

The ransomware threat landscape rapidly evolves. Keeping up to date on trends can help improve planning and incident response. Here are some overarching trends to keep in mind:

  • Cross-platform coding: Ransomware gangs are using cross-platform programming languages such as Rust or Golang to infect as many systems as possible and cause the maximum amount of damage.
  • Brute Ratel: Hacking groups have begun to move away from Cobalt Strike and are now using Brute Ratel to evade detection by security controls and deploy beacons used to execute commands.
  • Extortion: Cybercriminals are increasingly bypassing encryption activities and proceeding directly to data theft and extortion.
  • Negotiations: Some ransomware organizations have stated they will no longer work with any ransomware negotiators—third-party services that act on your behalf in communicating with the cybercriminals. Others have said they will make public any files taken if details of negotiations are made public.
  • Vulnerabilities: Threat actors will continue to exploit common vulnerabilities such as Log4Shell, ProxyLogon, ProxyShell and Zerologon to gain access to networks and deploy ransomware.

How to help your organization increase resiliency

Protecting against ransomware means planning for major disruptions across the full scope of your IT infrastructure. Here are some best practices that can help you build protections and a response plan:

  • Perform a business impact analysis to help predict the potential consequences of a ransomware attack and gather information to develop recovery strategies.
  • Create multiple backups to restore critical systems if the criminals delete your files—which can occur even after the ransom is paid. Ensure one set of backups is offline and inaccessible from your organization’s main network.
  • Contact your banking provider if you are impacted by ransomware or malware so they can be on high alert for any anomalous activity.
  • Contact law enforcement, including the FBI’s IC3.
  • Provide training and education to employees on how to identify and respond to suspicious emails. This may include conducting phishing exercises.
  • Consider purchasing a cyber insurance policy that covers ransomware.

How JPMorgan Chase can help

If you suspect you’re the target of a ransomware attack, reach out to JPMorgan Chase. It’s important you do not make a ransom-related payment through your JPMorgan Chase account unless we provide written advanced approval for you to process such a payment. This includes payments that do not originate from your account but may originate from your intermediaries using accounts with JPMorgan Chase.

To further protect your organization, download our ransomware preparedness guide from our fraud solutions page with added insights and best practices.

Reach out to your relationship banking team to talk more about cybersecurity and fraud planning.

© 2022 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Visit for disclosures and disclaimers related to this content.