Lesson 1.1: Ransomware Attacks are on the Rise: Case Study

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: Ransomware Attacks are on the Rise: Case Study! Over the next 45 minutes, we will explore the mechanics and impact of a modern ransomware attack through a real-world scenario.

But first, let me tell you about Marcus Webb.

It's 8:15 on a Tuesday in October. Marcus Webb, a senior IT administrator at a regional hospital trust in the Midlands, is finishing his morning coffee. The office is quiet, the hum of servers a familiar background noise. He logs into the central management console, ready to approve the latest batch of security patches.

A notification flashes on his screen: a user from the radiology department has reported their workstation is running unusually slowly. Marcus dismisses it initially—old hardware, probably. But then a second ticket appears, this time from patient admissions. Then a third. The pattern is wrong. The helpdesk phone starts ringing, a sound that quickly becomes constant.

Marcus pulls up the network dashboard. His blood runs cold. Dozens of endpoints are showing the same spike in disk activity, followed by a complete drop in network traffic. He tries to remote into one of the affected machines. The screen is black, save for a single, red message. He has to make a call: try to contain it locally, or pull the emergency power for the entire server room.

This is the story of Ransomware. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: What is Ransomware?

Think of ransomware not as a virus, but as a digital kidnapper. It doesn't want to destroy your data; it wants to hold it hostage for money.

Key Characteristics

Ransomware is a type of malicious software designed to block access to a computer system or its data until a sum of money is paid. It typically works by encrypting files with a key only the attacker holds.

Modern ransomware doesn't just lock one computer. It's designed to spread laterally across a network, seeking out file shares, backups, and connected systems to maximise its impact.

The implication is simple: a single infected endpoint can lead to an organisation-wide crisis. Recovery without the decryption key is often impossible, forcing a choice between paying the ransom or restoring from backups—if they exist and are clean.

The Business Model

Ransomware operates on a clear business model. Attackers invest time in reconnaissance to understand what an organisation can afford to pay. They often set ransoms as a percentage of revenue or based on stolen data's sensitivity.

Industry data indicates that many groups now use a 'Ransomware-as-a-Service' model, where developers lease their malware to affiliates who carry out the attacks, splitting the profits. This has lowered the barrier to entry and increased the volume of attacks.

DORA Article 5-17 DORA's ICT risk management framework requires financial entities to identify, classify, and document their critical business services and the assets supporting them. Understanding ransomware's business model is the first step in assessing the risk it poses to those services.

ISO A.12.6.1 ISO 27001 A.12.6.1 mandates the management of technical vulnerabilities. The ransomware business model exploits unpatched vulnerabilities as a primary entry point, making timely patching a direct control against this threat.

Content Section 2: The Attack Chain

Understanding the ransomware attack chain reveals why it's so effective. Let me show you exactly how Marcus was compromised.

Step-by-Step Intrusion

The attack on Marcus's hospital likely started weeks or months before the encryption event. An affiliate probably purchased access to the network from an initial access broker, or sent a phishing email with a malicious attachment to an employee.

Once a single endpoint was infected, the malware established a foothold. It downloaded additional tools, disabled local security software, and began exploring the network, stealing credentials along the way.

With stolen admin credentials, the attackers moved quietly from system to system, identifying critical assets like the patient database and the backup server. They spent days or weeks mapping the network, ensuring they could trigger maximum disruption simultaneously.

Key Technical Components

The ransomware payload itself is often a small, custom binary. Its job is simple: find files, encrypt them with a strong algorithm, append a new extension, and drop a ransom note.

To prevent recovery, it will also attempt to delete Volume Shadow Copies on Windows systems and wipe or encrypt any connected backup media.

Why Traditional Defences Fail

Notice what all of these methods have in common. They rely on the attacker making a mistake or the defence having prior knowledge. Modern ransomware operations are too methodical and patient for that.

Traditional security often focuses on the perimeter. Ransomware exploits the gap between a breached perimeter and the protection of critical data.

NIST PR.IP-12 NIST CSF PR.IP-12 requires a vulnerability management plan. The table shows how unpatched systems provide a direct path for ransomware. A strong plan closes this gap.

NIS2 Article 21 NIS2 Article 21 mandates risk analysis and security policies. Understanding this attack chain is essential for a realistic risk analysis that informs effective policies against lateral movement and credential theft.

Content Section 3: Seeing the Signs

Marcus's network knew something was wrong. It just couldn't tell him. The systems generated logs that, in isolation, looked like normal admin activity. Together, they told the story of the coming attack.

Network-Level Indicators

Look for unusual flows of data. A workstation making SMB connections to dozens of other machines in a short period is a red flag for lateral movement.

Outbound connections to known command-and-control infrastructure are a clear sign. However, many strains now use common cloud services or encrypted channels to blend in.

A practical step is to baseline normal network traffic for critical servers. A sudden spike in file access requests from a single IP address, especially outside business hours, can indicate automated discovery or encryption activity.

Endpoint-Level Indicators

The encryption process is resource-intensive. Sustained high disk or CPU usage on multiple endpoints, when not linked to a known software update or task, is a key indicator.

Look for the creation of suspicious processes, attempts to disable security tools, or the mass modification of file extensions in a short time frame. The ransom note itself is often a plain text file dropped in multiple directories.

Identity Provider Signals

Ransomware relies on stolen credentials. Multiple failed logins followed by a success from an unusual location or device can signal a compromised account.

Monitor for impossible travel scenarios—a user account logging in from the UK, then from another country minutes later. Also, watch for a single account being used to access an abnormally high number of different systems, which is typical of an attacker moving laterally.

SOC2 CC7.1 SOC 2 CC7.1 requires detection and monitoring procedures to identify changes that introduce vulnerabilities. Monitoring for the specific indicators listed here, like mass file changes or lateral movement, fulfills this requirement for the ransomware threat.

GDPR Article 32 GDPR Article 32 requires appropriate security of personal data. The ability to detect ransomware activity through these indicators is a key technical measure for ensuring the confidentiality, integrity, and availability of that data.

Content Section 4: Building Your Evidence

Compliance documentation is often seen as a checkbox exercise. But in the context of ransomware, it's your battle plan. It's the proof you've thought about the threat before it arrives.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that staff have been trained on a specific ICT risk (ransomware), including its attack chain and business impact, as part of your risk management framework.

For ISO A.12.6.1 auditors... For ISO 27001 assessors, you can evidence that personnel responsible for vulnerability management understand how unpatched systems are exploited by ransomware, supporting your technical control implementation.

For NIST PR.IP-12 auditors... For NIST CSF reviewers, you can show that your organisation's approach to vulnerability management is informed by current threat intelligence on ransomware entry vectors.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified

Conclusion

Let me tell you how Marcus's story ended.

The hospital paid a ransom of over £500,000 to regain access to critical patient records. Operations were crippled for a week. Elective surgeries were cancelled, and patient care was delivered from paper notes. Marcus, though not personally at fault for the initial breach, faced disciplinary action for the delay in initiating the incident response plan.

The organisation eventually invested in isolated, immutable backups, implemented strict network segmentation, and deployed 24/7 threat monitoring. The cost of these improvements far exceeded the ransom paid, not to mention the reputational damage and regulatory fines.

But it doesn't have to be your story. That's why we're here.

You should now understand that ransomware is a patient, business-driven attack. You understand its step-by-step chain from initial access to encryption. You know the key technical and behavioural indicators that can signal an attack in progress. And you understand how compliance frameworks map directly to the controls that can stop it.

Next, we'll explore Next, we'll explore Lesson 1.2: The Economics of Ransomware Negotiation. We'll look at whether paying the ransom is ever the right choice and what happens if you do.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key detection indicators (lateral movement, file encryption patterns, credential abuse) and immediate isolation steps for a suspected ransomware incident on a single page.
• Compliance Mapping Worksheet - Map your organisation's existing controls against ransomware (e.g., backup integrity, patch cycles) to specific requirements in DORA, NIST CSF, and ISO 27001 covered in this lesson.
• Risk Assessment Template - Assess your organisation's exposure to ransomware based on the attack vectors covered (phishing, unpatched vulnerabilities, credential theft) and the value of your critical data assets.
• Further reading - Links to the NCSC ransomware guidance, CISA's Stop Ransomware site, and MITRE ATT&CK techniques for ransomware (e.g., TA0040, T1486).

Ransomware Attacks are on the Rise Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026