Ransomware Attack Structure: Defining the Threat

Over time, ransomware demands have expanded in both magnitude and sophistication. Attackers typically rely on several common infiltration tactics, including phishing campaigns, exploiting unpatched software flaws, and abusing weaknesses in Remote Desktop Protocol (RDP) systems (CISA, Ransomware Guide). This section outlines how each of these methods operates and examines two advanced variations—double and triple extortion—that have made recent attacks especially severe.

Phishing attacks involve deceptive emails crafted to persuade recipients to click on malicious attachments or links. In 2024, there was a “notable rise in phishing and social engineering incidents, with 42% of surveyed organizations experiencing such attacks” (World Economic Forum, Global Cybersecurity Outlook 2025). This rise stems from phishing’s reliance on human error and the minimal technical skill required to execute it. These emails are designed to appear legitimate, often mimicking messages from trusted companies or institutions, making them difficult to detect without proper user awareness training. Once a recipient opens a harmful file, ransomware is installed, granting the attacker access to the system.

In recent years, phishing has surpassed other methods as the leading cause of ransomware infections. Its share of total attacks rose from 11% in 2024 to 18% in 2025 (Sophos, The State of Ransomware 2025).

Despite the growing role of phishing, unpatched software vulnerabilities remain a dominant method for deploying ransomware. According to the same report, 32% of ransomware cases began with exploited vulnerabilities—making this the most frequent technical entry point (Sophos, The State of Ransomware 2025). In these attacks, cybercriminals scan networks to locate systems running outdated or insecure versions of operating systems, web servers, VPNs, or third-party software. Using automated tools, they can gain access and install ransomware without requiring user interaction. Victims of these exploits tend to experience the most severe impacts, including higher rates of backup compromise (75%), data encryption (67%), and ransom payments (71%) compared to those attacked via stolen credentials. The financial toll is also heavier, with average recovery costs reaching $3.58 million versus $2.58 million for credential-based breaches (Sophos, Ransomware Payments Increase 500% in the Last Year, Finds Sophos State of Ransomware Report).

Remote Desktop Protocol vulnerabilities represent another major gateway for attackers, often exploited through weak or stolen login credentials. While RDP-related incidents may result in slightly lower rates of data encryption and system damage compared to vulnerability-based attacks, they are particularly attractive to hackers operating from abroad, as RDP allows remote access to internal systems and networks. In 2021, 40% of initial ransomware breaches originated from stolen credential use (Alder, Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends).

Although phishing, software flaws, and RDP exploitation remain widespread, the emergence of double extortion has transformed the ransomware landscape by amplifying pressure on victims. Between 2023 and 2024, double extortion attacks surged—rising 259% in Latin America and 8% in North America (SonicWall). In such cases, attackers not only encrypt a victim’s files but also steal copies beforehand, threatening to leak or sell the data if payment is withheld. This strategy renders backups less useful, since even if files are restored, victims still face reputational and legal risks from data exposure.

Triple extortion intensifies this strategy by introducing a third layer of coercion. In these attacks, cybercriminals not only encrypt and steal data but also target affiliated individuals or organizations—such as employees, partners, or clients—with separate ransom demands. Within the healthcare sector, for instance, attackers may directly threaten patients, demanding payments to prevent their personal information from being released (SonicWall). This escalation expands both the number of potential victims and the attackers’ financial gain, while also complicating response and recovery for the main target.

A prominent example of a group using these techniques is BlackCat, also known as ALPHV. This cybercriminal organization exfiltrates sensitive data before encrypting it and adds Distributed Denial-of-Service (DDoS) attacks to further pressure victims into paying. If the ransom remains unpaid, BlackCat publicly releases the stolen data on its own leak website (Praneeth Nangineni and Winterfeld).