RANSOMWARE: MECHANISM OF ACTION AND METHODS OF PROTECTION
Abstract
Among the many contemporary digital threats, malicious software in the ransomware category occupies a dominant and distinctive position, posing an unprecedented danger not only to data confidentiality but also to human safety and the resilience of entire sectors of the economy, including critical infrastructure and the public sector. Global digitalization, the transition to cloud technologies, and the expansion of corporate network boundaries have significantly increased the attack surface. The impact of ransomware on organizations, as it continues to evolve and become more sophisticated, results in enormous financial losses, paralysis of business processes, and reputational damage. This necessitates a fundamental reassessment of approaches to information security and gives this topic considerable social and scientific significance. The aim of this article is to provide a comprehensive examination of the ransomware phenomenon – from typological classification and historical development to a detailed study of the technical mechanisms of attack execution and the development of comprehensive practical recommendations for protection. The article identifies and outlines the historical stages in the emergence and spread of ransomware: from basic encryptors to modern “Ransomware-as-a-Service” (RaaS) business models, which have substantially lowered the barrier to entry for cybercriminals. The study examines the algorithm of a modern ransomware attack, with a detailed description of its key phases: initial compromise (through phishing, exploitation of RDP vulnerabilities, or zero-day vulnerabilities), lateral movement, exfiltration, and encryption. Based on the analysis conducted, an effective ransomware protection system is proposed, grounded in the Zero Trust concept and combining technological, organizational, and procedural components. Organizations need to implement rigorous patch management to ensure the immediate updating of vulnerable services, mandatorily use multi-factor authentication (MFA) for all entry points, and regularly conduct practical phishing simulations for personnel. Technical protection should include strict network segmentation and be based on the mandatory deployment of EDR/XDR-class solutions capable of automatically blocking anomalous activities before irreversible consequences occur. It is critically important to implement end-to-end cryptographic encryption of confidential data at rest, which will render such data useless to hackers in the event of a leak, as well as to strictly adhere to the “3-2-1” backup rule with isolated copies. Every institution should develop, formally approve, and regularly test an Incident Response Plan, while establishing in advance a communication channel with governmental protection agencies such as CERT-UA.
References
2. Gazet A. Comparative analysis of various ransomware virii. Journal in Computer Virology. 2010. Vol. 6, № 1. Pp. 77–90. https://doi.org/10.1007/s11416-008-0092-2
3. Rehman, M.u. et al. Analyzing Early Indicators of Ransomware: Pre-encryption Behavior Patterns. In: Mohamad, H., Hasan, M.H., Abdulkadir, S.J., Shafiq, N. (eds) Proceedings of the International Conference on Smart Cities. Vol. 2. ICSC 2024. Lecture Notes in Electrical Engineering. 2025. Vol. 1417. Springer, Singapore.
https://doi.org/10.1007/978-981-96-5848-0_46
4. Connolly L. Y., Wall D. S. The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures. Computers & Security. 2019, vol. 87. Pp. 101568. https://doi.org/10.1016/j.cose.2019.101568
5. Stallings W. Cryptography and Network Security: Principles and Practice. 7th ed. Pearson Education Limited. 2017. 766 p. URL: http://14.139.161.31/EvenSem-1225-0426/cssp/Cryptography-and-network-securityprinciples-and-practice.pdf (date of access: 06.03.2026).
6. Luo X., Liao Q. Awareness education as the key to ransomware prevention. Information Systems Security. 2007. Vol. 16, № 4. Pp. 195–202. URL: https://www.researchgate.net/publication/220450120_Awareness_Education_as_the_Key_to_Ransomware_Prevention (date of access: 09.03.2026).
7. 2025 Data Breach Investigations Report. Verizon Business. URL: https://www.verizon.com/business/resources/reports/dbir/ (date of access: 11.03.2026).
8. Adam S. The State of Ransomware. Sophos. 2025. URL: https://www.sophos.com/en-us/blog/the-state-ofransomware-2025 (date of access: 11.03.2026).
9. Adam S. The State of Ransomware 2023. Sophos. 2023. URL: https://assets.sophos.com/X24WTUEQ/at/c949g76937ntnj7ptnmspw/sophos-state-of-ransomware-2023-wp.pdf (date of access: 11.03.2026).
10. Adam S. The State of Ransomware 2024. Sophos. 2024. URL: https://assets.sophos.com/X24WTUEQ/at/cqv6xgmpb34wjdmb8fcpkpxp/sophos-state-of-ransomware-2024-wp.pdf (date of access: 11.03.2026).
11. Steal, deal and repeat – How cybercriminals trade and exploit your data. Internet Organised Crime Threat Assessment (IOCTA 2025). Europol. URL: https://www.europol.europa.eu/publication-events/main-reports/stealdeal-and-repeat-how-cybercriminals-trade-and-exploit-your-data (date of access: 13.03.2026).
12. Wadho, S. A., Yichiet, A., Gan, M.-L., Lee, C. K., Akbar, R., & Kumar, R. Emerging Ransomware Attacks: Improvement and Remedies – A Systematic Literature Review. In 2023 4th International Conference on Artificial Intelligence and Data Sciences (AiDAS). DOI: 10.1109/AiDAS60501.2023.10284647. URL:
https://ieeexplore.ieee.org/document/10284647 (date of access: 13.03.2026).
13. Benmalek M. Ransomware on cyber-physical systems: Taxonomies, case studies, security gaps, and open challenges. Internet of Things and Cyber-Physical Systems. Vol. 4. Pp. 186-202. https://doi.org/10.1016/j.iotcps.2023.12.001
14. War and cyber: three years of struggle and lessons for global security analytical report. 2025. Analytical report. State Service of Special Communications and Information Protection of Ukraine. Kyiv – 2025. URL:https://cip.gov.ua/services/cm/api/attachment/download?id=69131 (date access: 15.03.2026).
15. Ransomware Trends & Proactive Strategies New data on rising threats & strategies for cyber resilience. Veeam. URL: https://surl.li/ojzjlr (date access: 15.03.2026)
16. Ransomware Victims and Network Access Sales in Q1 2023. KELA Cyber Threat Intelligence. 2023. URL: https://www.kelacyber.com/wp-content/uploads/2023/04/KELA_Research_Q1-2023_ransomware-andnetwork-access-sales.pdf (date access: 15.03.2026).
17. Kapon, B. The state of cybercrime 2024: Key Threats & What’s Coming in 2025. KELA Cybercrime Intelligence. 2025. URL: https://www.kelacyber.com/blog/the-state-of-cybercrime-2024-key-threats-whatscoming-in-2025/ (date access: 15.03.2026).
18. UnitedHealth Group reports first quarter 2024 results. Press Release. UnitedHealth Group. 2024. 16 April. URL: https://www.unitedhealthgroup.com/newsroom/2024/2024-04-16-uhg-reports-first-quarter-results.html (date access: 19.03.2026).
19. Ransomware Annual Report 2024. Cyberint. 2025. URL: https://cyberint.com/blog/research/ransomwareannual-report-2024/ (date access:: 20.03.2026).
20. ATT&CK Evaluations: Enterprise. MITRE, 2025: URL: https://evals.mitre.org/enterprise/er7/ (date access:: 23.03.2026).
21. The State of Ransomware Report. BlackFog. 2025. URL: https://www.blackfog.com/2025-q3-ransomware-report/ (date access:: 24.03.2026).
This work is licensed under a Creative Commons Attribution 4.0 International License.
ISSN 
