Ransomware Attacks: Mechanics, Human Impact, and Responses

Name: Cyberattacks, data encryption, extortion - How cybercriminals operate | DW Documentary
Uploaded: 2026-04-07T16:29:33.452030+00:00
Duration: 28 min 26 s
Channel: DW Documentary
Description: Summary and key takeaways on Ransomware Attacks: Mechanics, Human Impact, and Responses, covering The Anatomy of a Ransomware Attack Attackers gain entry

DW Documentary

Apr 07, 2026

•

28 min video

•

2 min read

YouTube video ID: sOicR2enFsY

Source: YouTube video by DW Documentary — Watch original video

PDF

Attackers gain entry through social engineering — phishing emails that lure users into revealing credentials — or by scanning internet‑facing servers for unpatched vulnerabilities. Once inside, they move laterally, escalating privileges until they control administrative accounts across the network. The “double extortion” model adds a second lever: before encrypting files, attackers exfiltrate sensitive data to a remote server, then threaten both data loss and public leaks unless the ransom is paid.

The Crisis Experience

Victims describe a feeling of powerlessness and intense emotional distress as operations grind to a halt. Time pressure mounts as encrypted systems block critical business functions, and attackers often call victims at home to increase psychological pressure. Companies must decide quickly whether to negotiate or pay, while forensic teams race to identify “patient zero,” close the original vulnerability, and verify that backups are clean before restoring services.

The Ransomware Ecosystem

Modern ransomware groups operate like formal businesses, complete with human‑resources departments, scheduled holidays, and professional hierarchies. Many of these groups are linked to Russia, where authorities reportedly tolerate cybercrime that targets Western entities but not former Soviet states. The rise of “Ransomware‑as‑a‑Service” lets less‑skilled actors launch attacks using ready‑made toolkits, while intelligence agencies rely on undercover practitioners to infiltrate these syndicates and gather actionable data.

Strategic Responses

Paying a ransom fuels the criminal business model, yet companies often feel forced to comply to avoid total collapse. Experts argue that a global ban on ransom payments would eventually cripple the model, provided governments supply support to affected firms during the transition. Effective mitigation hinges on robust security architecture, continuous employee education, and reliable offline‑verified backups. Forensic recovery must pinpoint the entry point—whether a weak password or a compromised IoT device such as a forklift screen—clean infected servers, and confirm backup integrity before resuming operations.

“If everything is connected, everything can be hacked.”
“The typical cliche of a ransomware hacker is now outdated. These are highly professional organizations.”
“There's no shame in becoming a victim. Anyone can be hacked. It's how you handle it once that happens that makes the difference.”
“If we stop paying, we bleed bad for a while, but it would go away.”
“You can't make an omelette without breaking eggs.”

Takeaways

Ransomware attacks start with phishing or automated scanning, followed by privilege escalation and a double‑extortion tactic that threatens both encrypted data and public leaks.
Victims endure severe emotional distress and operational paralysis, often facing time‑pressured decisions while attackers maintain personal contact to increase pressure.
Ransomware groups now function like formal businesses, with HR, holidays, and Russian tolerance, while Ransomware‑as‑a‑Service expands their reach.
Paying ransoms sustains the criminal model, but a global ban paired with governmental support could undermine it, despite short‑term pain for affected firms.
Strong defenses require robust security architecture, employee training, offline‑verified backups, and thorough forensic work to close entry points before restoration.

Frequently Asked Questions

What is double extortion in ransomware attacks?

Double extortion means attackers first steal sensitive data and then encrypt the victim’s systems, giving them leverage to demand payment both to restore data and to prevent public leakage. This two‑fold threat increases pressure on victims to pay.

How does the professionalization of ransomware groups affect their operations?

Professionalization gives ransomware groups structured HR, scheduled holidays, and business‑like processes, enabling them to scale operations, offer Ransomware‑as‑a‑Service, and coordinate attacks with greater efficiency and resilience. This makes the threat more organized and persistent.

Who is DW Documentary on YouTube?

DW Documentary is a YouTube channel that publishes videos on a range of topics. Browse more summaries from this channel below.

Does this page include the full transcript of the video?

Yes, the full transcript for this video is available on this page. Click 'Show transcript' in the sidebar to read it.

Helpful resources related to this video

If you want to practice or explore the concepts discussed in the video, these commonly used tools may help.

External Hard Drive For Offline Backups Recommended

Provides a physical, air-gapped storage solution to ensure data remains accessible even if primary network systems are encrypted by ransomware.

Amazon →

Hardware Security Key For Two-Factor Authentication

Adds a physical layer of security to prevent unauthorized access via phishing or credential theft, addressing the 'initial access' vulnerability.

Amazon →

Cybersecurity Incident Response Planning Guide Book

Provides structured frameworks for managing the crisis, communication, and recovery phases following a cyberattack.

Amazon →

Faraday Bag For Electronic Device Isolation

Blocks electromagnetic signals to prevent remote access or data exfiltration from compromised devices during a forensic investigation.

Amazon →

Links may be affiliate links. We only include resources that are genuinely relevant to the topic.

Summarize another video

Full Transcript YouTube

The day it happened started off like any
other.
>> I walked into the office like always and
then someone from it came and said,
"Hey, Phillip, we have a problem."
Once we realized the full extent of it,
we walked through the plant and saw
everything had come to a standstill, a
complete standstill.
No machines running, nothing. It was
just quiet.
>> Then I realized
>> if we don't figure this out, the entire
company, all 200 jobs, everything is at
stake.
>> If everything [music] is connected,
everything can be hacked. Cyber security
is ever more crucial. It's called
ransomware, and it's a huge and [music]
expensive problem for all of us.
>> Ransomware, software used to extort a
ransom, racks up costs in the billions.
>> For me, it was clear I was willing to
pay a relatively high price. But if at
all possible, I wanted to avoid paying a
ransom.
[music]
>> Hello, Mr. boats hard. It's just not a
telemarketing.
>> It's an honor [clears throat]
to intro my friend John Deaggio who went
undercover into the world of lockpit.
>> He's one of the top cyber es espionage
practitioners on the planet.
>> So the way that it works to conduct a
ransomware attack, the first step is to
get into the network. And [music]
there's two primary ways that that takes
place. The first is through social
engineering, which means I'm going to
look up some of the people at the
company or I'm just going to send mass
emails to people at a certain company
and hope that somebody [music] clicks on
it. And if they do, it sort of opens up
a pathway for them to come in.
The other way that they do it is [music]
they'll scan a company's infrastructure
or the servers that touch the internet,
all of their computers that that have a
live connection, [music] and they'll
look for vulnerabilities.
Now, regardless of how you get into the
network, once you're there, you still
have work to do. They have to find a way
to escalate those privileges in order to
get the sort of the key to unlock these
doors from within.
So if you get into these systems,
[music] you can disperse ransomware all
at one time. But there's a a second part
of ransomware that's sort of evolved
over the past couple years, and that's
stealing data.
So what they do with double extortion is
before [music] they encrypt your data,
they actually go and they will steal it.
So now once they [music] have gotten
your data, now it's time to lock all of
your data. So, not only can I threaten
to [music] leak all your customers
information, but you're helpless to do
anything about it. They have all your
sensitive information and they've
completely locked you out of everything.
>> The first time I heard about ransomware,
I automatically started picturing the
scene in my mind. If you hear that
you've been hacked and your data has
been encrypted, above all, you're going
to feel powerless and helpless.
>> And that's exactly how I felt.
>> [music]
>> The Bosard Farbin company asked for our
help in March 2025.
We assessed the situation and found a
scene of utter devastation.
The first question was of course could
Bosard Farbin save itself by restoring a
backup of its data. Those are the times
when the whole future of a company is at
stake.
Of course, we were under time pressure
because in our business, if the customer
orders today, they want the product by
tomorrow. Now, what happens is when they
lock down all your files, they're nice
enough to leave a note on the desktop of
your computer.
>> The document on the server listed all
their terms. It also stated that we had
12 days to meet those terms.
We then met as a crisis team and made
contact with the hackers.
That's when we saw that 400 gigabytes of
data had been stolen.
[music]
They also threatened to publish the
data.
>> [music]
>> and they almost have like a chat panel
where you log in
and then you have these negotiations and
you have to decide if you're going to
pay for this or not.
>> In our case, they were demanding a
quarter of a million dollars in Bitcoin
in Bitcoin.
>> The hackers want to monetize their
attack.
We enter negotiations to buy time.
>> The worst thing is if you're forced to
pay, then it comes down to the choice.
Either I pay or I shut down the company.
Of
course, if you can't recover the backup
of your data, at some point you have to
decide what consequences you're prepared
to live with.
[music]
my background that brought me to
ransomware. Uh I actually started out I
was an engineer and I was writing blogs
about bad guys that I would find out
there on the internet as a hobby. And uh
I got recruited to work for an
intelligence agency. They trained me on
how to go after other nation states that
were conducting espionage against the
United States.
So having that expertise, I went to the
private sector. I went out there on the
dark web and I was like, "Hey,
ransomware bad guys talk to all the
victims. Maybe they'll talk to me."
[music]
Fast forward to 2022, I started going
after Lockbit, which is one of the the
top groups in in the ransomware
ecosystem.
>> Lockbit is the world's most prolific
ransomware variant,
>> or at least they were.
[music]
I went in and I tried to join that group
and I didn't get through the full
interview, but when it was over, the
leader of the group left me in their
their private channel.
>> The Lockpit ransomware group led by the
online persona Lockbit Sub
>> and I just [music] pretended to be this
young upcoming hacker that idolized him
cuz I knew ego was the way to get to
him. And I just kept asking questions
and trying to learn.
And then after about 6 months, I [music]
had all the information about how their
group worked there. and I wrote this
70-page paper. [music]
The next day after I released that
report, it was in the news. I had uh
government intelligence agencies [music]
calling me. I had law enforcement
calling me and not just from the US,
from all over the world.
So, at that point, I [music] was like,
well, I got nothing to lose now. I might
as well try and talk to him as me. So, I
sent him a message and I said, hey, this
I'm John Deaggio. I just wrote about
you. You want to talk? And I I expected
maybe a threat or telling me, you know,
to off or something like that, but he
didn't. The response was, "I love you.
You best researcher." So, we formed a
relationship that lasted for 3 years.
[music]
At the end of this, this ends with the
leader of the group being indicted and
his name being plastered all over the
place.
By day two, we were hopeful that we
might be able to do something with a
backup.
We were at a point where we were no
longer just holding the hackers at bay,
but actively working to recover the
data, too.
>> [music]
>> Obviously in the IT department, the
lights burned well into evenings until
quite late at night,
[music]
>> especially in Valter Timman's office,
our IT manager.
When we looked at the data, we saw that
the backups were affected, too. So, we
had to try to find a backup that was
still working.
backup.
[music]
We searched through all our past backups
and found one that was 7 days old.
Of course, we had to check all the data
first to see if it was clean and
something we could work with. We had to
check if there was anything that might
have been hidden in the background.
We knew if we couldn't restore it,
everything would be gone.
for lake.
>> Our company was founded in 1947 by my
grandfather and it's been in the family
ever since.
I took over as managing director in
2009. We now have just under 200
employees.
[music]
Over 80% of our revenue comes from
products for painting and decorating for
people painting their own homes interior
and exterior.
>> Everyone knows each other here. Many of
our employees have been with us for
years.
[music]
>> In a situation like this with the cyber
attack, you think less about the
company's history and more about the
fact that not just your staff but also
their families are depending on their
income.
Of
course, some of our people were afraid,
wondering what would happen, what would
become of the company, and what it would
mean for them personally.
Some of the people in the IT department
were really beating themselves up.
So, I had to go to them, put myself in
their shoes, and tell them, "Hey, it's
okay."
>> Sure, mistakes were made, but you can't
make an omelette without breaking eggs.
We just worked and worked and worked. If
you let yourself think too much, things
just became difficult,
especially because we didn't know if
there was anything left to save. It was
a really tough time. Happy Tixie.
On the day it happened,
I was truly at my wit's end.
I thought, "It's over."
I sat at my desk in my office just in
despair.
I thought you might as well go to the
solvent store room, toss in a match, and
go home.
That's it.
There's the emotional toll, and that's
what you never hear about to see like
the the real emotion and the sadness
[music] and the sorrow and the pain.
Like you don't hear about that when you
read an article about someone's data
getting encrypted or stolen. But these
type of stories happen all the [music]
time. There's a much larger effect.
People lose their jobs. They lose their
businesses. They [music] lose clients.
It affects so much more than just the
data and the zero ones.
There were moments like that where all I
wanted to do was weep.
Even now when I think about it, I start
tearing up again. It was very, very
emotional.
>> I thought everything that we've built up
over the past 20 years could just vanish
now. Well, I'd still have the land, I
suppose.
>> I'm Ingabell. I work at Nordwave as
direct innovation
and I'm one of the ransware negotiators
and then I support boards during
incidents. [music] If we look at the
mental impact of these kinds of
incidents is that there is tremendous
stress not only in the first [music] 24
hours but in many many many days, weeks
and even years after an incident.
When a family company is hit, there are
more emotion involved. People are the
company. So it's not only your job,
you're part of that company.
>> On day three, we got the news. Yes, we
found something we can restore.
>> [music]
>> Next, you have to reconstruct the path
of the attack, tracing it back to
patient zero. We need to figure out how
they got in so that we can eliminate
them from the network later.
[music]
>> They had attacked the entire system. It
wasn't clear how long they'd been in
there or what damage they'd done. We had
to check each server individually to
find out if it was clean.
>> We spent a long time trying to figure
out if there were any other
vulnerabilities in the system.
So they couldn't find a way back in.
>> We took a forensic approach, retracing
the entire attack. We found the entry
point. It was a so-called remote access
solution. We also figured out which
username and password they used. It was
a login with a very weak password.
From there they tried to infiltrate the
system but ran into problems because
Basad Farbin's internal security
architecture was very modern.
Later we discovered that the hackers had
gained access through the computer
screens on our forklifts in the High Bay
warehouse.
Then they were able to infiltrate the
rest of the system.
Once we were sure everything was working
again, we were initially very relieved.
But there was still another issue.
What would happen to the data that was
stolen if we didn't pay up
and then the blackmailer contacted me by
phone?
>> [music]
>> Hello Mr. Bart, my name is Mike Ford.
This is not a telemarketing. We are not
sure if you are aware of what's
happening. They [music] are trying to
hide the real information from you.
They then tried calling me again at home
on my personal number. They thought I
had no idea that my negotiators had
walked away from the table. And it was
clear to me if they're calling me at
home, they obviously know a lot about
me.
Hey Liver
[music]
[music]
research shows a cyber crime report is
made every six minutes in Australia.
>> There's so much money to be made in
cyber crime. There's estimates that
global losses exceed1 billion US per
year.
>> The typical cliche of a ransomware
hacker is now outdated. These are highly
professional organizations. There's even
cyber crime as a service or ransomware
as a service.
>> They are formally organized. They have
an HR department. They have holidays.
They have a two weeks pay. And we also
know that they are linked towards the
Russian government.
The Russian authorities turn a blind eye
to the cyber crime economy that has
developed, but there are certain rules.
They're free to attack the West, but not
former Soviet countries.
And it's actually of interest to the
authorities because the hackers gather
information and then share that stolen
data with the government.
[music]
The biggest impactful part of my
multi-year
investigation with the Lockpit
ransomware gang, you know, for a lot of
it, it was it was research.
Be on a vacation. There's no days off.
There's no logging on off at at 9:00.
There's no having a weekend off, but I
would talk to him three, four times a
week.
It just got to be so common. You you
stop looking at it as like this unique
thing.
>> I have a very close family friend and he
had a son who was 8 years old who got a
very uh rare condition.
He was in a children's hospital in an
ICU
and I happened to have the same blood
type. So, I went there in order to give
blood and uh while I was there, it was
the worst place I've ever been in. You
could just the despair in the air. It
was it impacted me.
There came a point where Lockbit had
attacked a hospital in Chicago called
St. Anony's Hospital and I got very
upset.
There's a children's cancer unit in this
hospital and if you lock down their
systems, those are the same systems that
provide treatment to these children that
have cancer.
There's rules to what I do. You can't
get emotionally and personally involved
cuz once you do, [music] you make
mistakes. I really believed that I could
get Lockbit to give the hospital the
decryption key. And uh he just didn't
care. He wouldn't do it. [music]
It was that moment though where I
decided things [music] changed. That
moment I decided I was going to work
with law enforcement.
Let's go get this guy. And I worked with
[music] them over the next 6 months
until we got Dmitri. The FBI and British
authorities have taken [music] down what
they're calling the world's most
prolific ransomware group.
>> We have unmasked the man behind lockbit,
Russian national known as lockbit.
[music]
>> Here he is right here. Dimmitri Corosv.
>> Dmitri.
>> Dmitri Korv.
>> Loit had a website for negotiating with
victims among other things. One day it
disappeared. It was replaced by a short
message, don't do crime. Crime is bad.
Below that was a link where users could
download a copy of Lockbit Bits internal
database. So someone, we don't know who,
hacked Lockbit Bit itself and published
their data.
The hackers were hacked. In all this
data, we found a list of all the victims
who were attacked during that period,
including who paid how much. One company
stood out in particular because it paid
nearly $2 million.
That was by far the highest amount on
the list of victims and it was a Swiss
company.
>> Can you give us the name?
>> The company is called Bites and More.
They're an IT provider based in Aral.
It was the first real crisis I'd ever
experienced in my career and in the
company.
For the first 24 hours, I was completely
overwhelmed and didn't know which way to
turn.
Thankfully though, that eventually
turned into a source of energy that I
could harness.
My name is Yonas Houndstein. I'm the
managing director of Bites and More.
We serve as the external IT department
for many of our clients.
>> You can picture it like a spid web.
We're at the center of the web and our
clients are at their respective
locations and there's a virtual link
with each location via the internet.
The hackers didn't break into our
systems. They infiltrated our client's
systems.
We worked about 14 hours a day for 6
weeks to get our clients back online.
Of course, not all clients were affected
to the same extent. We suffered the
damage because all our devices were
encrypted. We had to set everything up
again from scratch. Then we restored the
data and resumed our work.
We as a company did not pay any ransom
money because we had a backup of our
data.
We don't know to what extent our
customers paid a ransom or were
affected.
>> Do you know whether payments were
ultimately made or not?
>> Clearly they were because the people got
their data back.
So we've been in touch with Bites and
More and they told us they didn't pay
and I believe them. Still money changed
hands. So if it wasn't them, it must
have been one or more of their customers
who paid the ransom.
>> [music]
>> You find yourself involved in a
situation that you're not proud of. It
might have a negative impact on our
customers or on us to be appearing on
camera like this. But I think it's
important to speak out and say we were
attacked and we've learned from it. That
way maybe someone else can learn from it
too, even if they haven't been directly
affected. So people can put a face to a
situation like this, something that
often doesn't happen.
>> The truth is anybody can become a
target. Microsoft's one of the most
secure companies in the world. They've
been hit before.
So anybody can become a victim. And I
always say this, there's no shame in
becoming a victim. Anyone can be hacked.
It's how you handle it once that happens
that makes the difference.
I definitely understand why some
companies pay up. If we hadn't had that
backup, we probably wouldn't have had
another option either. Ultimately
though, it's not a business model that I
want to support.
Doing these things should not be
worthwhile for these people.
If I could assign one task to world
leaders would be to stop paying ransom
payments. If we stop paying, we bleed
bad for a while, but it would go away.
>> When you as a country forbid to pay uh
ransom,
you indeed influence the the business
model of the ransomware attackers, but
the impact for the companies that are
attacked is enormous. So you need to
have kind of mitigation measures as a
country as a government to support those
victims when they are attacked because
companies will be disrupted completely
because they are not able to operate
anymore.
[music]
You do need to protect yourself. You
also lock your door. You also [music]
have cameras in your company.
So this is the digital side of it. The
risk for [music] such an attack is
pretty high. So you need to educate
yourself as well. We owe oursel that we
are responsible for that. [music]
I grew up in a not great environment. I
had uh my own my my own taste of
conducting crimes um and doing some bad
things.
>> [music]
>> When I look at these ransomware
criminals, [music] they're kids. And uh
maybe I'm naive, but I always try to
steer them in the right direction.
[music] I don't want that guy being my
adversary again. I want to hire him
someday.
>> I've said so much already.
>> Okay. Perhaps the one thing left to say
is this thing has happened to us now and
I think it's important to talk about it
to raise awareness about this issue.
There are so many people who don't want
to talk about it.
Yet it affects so many companies.
[music]