What actually happens during a ransomware attack — and how to survive one
A step-by-step look at how a ransomware attack unfolds against a business, and the preparation that means you recover without paying.
Understanding how a ransomware attack actually unfolds is the first step to making sure you survive one.
Ransomware is the disaster scenario most Melbourne businesses fear, and rightly so. But it is not magic — it follows a predictable pattern, and at almost every stage, good preparation changes the outcome. Here is how an attack typically unfolds, and where the defences sit.
Stage 1: Getting in
Most ransomware starts with something mundane — a phished password, a malicious email attachment, or an unpatched system exposed to the internet. The attacker rarely "breaks in" dramatically; they walk through a door that was left open. Defence: MFA, email security, patching and staff training close most of these doors.
Stage 2: Quietly spreading
Once inside, attackers often wait. They explore the network, steal credentials, escalate their access, and identify your most valuable data and your backups. This can take days or weeks, and traditional antivirus usually sees nothing. Defence: this is exactly what a Security Operations Centre exists to catch — the unusual behaviour during this quiet phase, before encryption begins.
Stage 3: Stealing data
Modern ransomware crews copy your data out before encrypting it, so they can threaten to publish it even if you have backups. This "double extortion" is now standard. Defence: monitoring for large data transfers, and controls that limit how much an attacker can reach.
Stage 4: Encryption and the ransom
Finally, the attacker triggers encryption — often overnight or over a weekend — locking your files and leaving a ransom demand. This is the moment you notice, and by then the earlier stages have already played out. Defence: immutable backups that the attacker could not delete mean you can recover without paying.
Stage 5: Recovery — the part that defines the outcome
Here is where preparation decides everything. A business with tested, immutable backups and an incident response plan contains the attack, restores from clean backups, and is running again — without paying a ransom. A business without them faces an impossible choice between paying criminals (with no guarantee) and losing their data. The attack is the same; the preparation is what differs.
How to make sure you survive one
Survival is built before the attack, not during it: layered prevention to reduce the chance of getting in, 24/7 monitoring to catch the quiet phase, immutable and tested backups via disaster recovery, and an incident response plan ready to go. Each stage above has a defence — together they turn a business-ending event into a bad few days.
Frequently asked questions
How does a ransomware attack start?
Usually with a phished password, a malicious attachment, or an unpatched internet-facing system — an open door rather than a dramatic break-in.
Should we pay the ransom?
The goal is never to have to. With immutable, tested backups you can recover without paying. Paying funds criminals and offers no guarantee of getting your data back.
How can a SOC help against ransomware?
By detecting the quiet phase — credential theft and lateral movement — before encryption begins, allowing containment before real damage is done.
What is the most important ransomware protection?
There is no single one — layered prevention, monitoring and immutable tested backups together are what let you survive without paying.
Make sure you would survive one
Book a free IT & Cyber Security Review and we will check whether you could recover from ransomware today. Call 1300 053 948.
Related Key IT services
More insights
Australia's 72-hour ransomware reporting rule
Pay a ransom in Australia and you have 72 hours to report it. From Jan 2026 enforcement applies…
Read article →RansomwareWhy backups alone won't stop ransomware
Ransomware gangs delete backups and steal data before encrypting. Here's why backups alone aren't…
Read article →RansomwareAkira ransomware & SonicWall VPN lesson
The Akira campaign against SonicWall VPNs locked networks in about an hour. What Melbourne…
Read article →Book your free IT & Cyber Security Review
See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.