The path of a ransomware | Don't Go to the Police

^{Cyber extortion}

What is a ransomware?

The path of a cyberattack

A ransomware cyberattack relies on the use of malicious software designed to encrypt a digital resource. The aim is to extort a ransom from the affected organization - preferably in cryptocurrency - in exchange for a decryption key. This is what happened in 2023 to Coaxis, the French company at the center of the documentary "Don’t Go to the Police" and an international investigation.

Explore the motivations, methods and profiles of these cybercriminal groups: specializing in cyber-extortion.

19 000 businesses

Affected by cyber-extortion between 2020 and 2025.

44,5 % of increasing

ransomware attacks between 2020 and 2025.

89 active groups

specializing in wolrdwide cyber-extortion.

^{Source : Security Navigator Business Leaders 2026.}

The steps

of a ransomware cyberattack

PHASE 1Recon and collect

PHASE 2Initial compromise

PHASE 3Escalation

PHASE 4Ransomware deployment

PHASE 5The ransom notification

Recon phase

Collecting the data

In a targeted approach, cybercriminals search for publicly available information to gather data, such as IP addresses or employees’ names. They also scan networks to identify vulnerabilities: outdated operating systems or software versions, open ports, unsecured services or weak passwords. They sometimes rely on targeted phishing or even telephone impersonation to gain this initial access.

Alternatively, they may employ the "Spray and Pray" method. Massive and automated phishing campaigns are launched, with emails containing malicious links or infected attachments. With this method, targeting gives way to volume and automation, in the hope that one or more victims will fall right into the trap.

The initial compromission phase

Beware of the Trojan Horse

Whether through a phishing email, the exploitation of vulnerabilities or leaked credentials circulating on the dark web, the attacker has found a way in. His primary objective is to gain access and maintain his hold as long as possible. To do so, they need to expand their control to remain within the system without being detected.

The escalation phase

Gaining admin rights

In order to extend their control for causing damage within the compromised system, the attacker needs to obtain administrator rights (or "admin" rights). This is known as privilege escalation, which is made possible by inadequate access controls, weak passwords or configuration errors. By focusing on the Active Directory (or AD) resource, which centralizes accounts, permissions and authentication data, they can obtain critical information for compromising administrator accounts.

Through lateral movement, they will also attempt to infect other resources, machines and servers within the organization to reach strategic targets.

Ransomware deployment phase

Ransomware is activated

Once the attacker has gained and maintained access to the compromised network of the company, they can activate and deploy the malware. The ransomware will encrypt one or more of the company’s strategic digital resources, turning them into stone and unusable. The encryption of these resources effectively paralyses the affected company.

Ransom notification phase

"Don’t go to the police" ?

A notification message for a ransom demand appears on the screens of the organization targeted by the cyberattack. A substantial sum – particularly for an SME or medium-sized company – is demanded in exchange for a key to decrypt the locked system. In the specific case of Coaxis, the message included the warning “Don’t go to the police”.

This is nothing short of extortion, and complying with the demand offers no guarantee of being freed from this hold or of recovering a healthy and secure network. It is therefore recommended that this attack be reported immediately to the authorities and that cybersecurity experts be called in to identify the breach, isolate the cyberattack and limit the damage.

Phase 1 / 5

The multiple impacts

of a ransomware attack

Ransomware can have a “domino effect” on the affected business, disrupting its operations, the trust of its clients and its whole ecosystem, damaging its reputation.

^{Operational impacts}

^{3 weeks :}

is the average downtime following a ransomware attack.

^{The disruption of one or more strategic digital resources can have a severe impact on an organization’s productivity. Systems are unavailable. Customer requests can no longer be met. Teams are forced to operate in a best effort mode.}

^{Supply-chain impact}

^{19 000 :}

businesses have been compromised within 5 years.

^{Two-thirds are SMEs. Cyber attackers are increasingly exploiting the supply chain to disrupt the targeted company’s ecosystem through a domino effect, generating delivery delays and a loss of trust among business partners.}

^{Financial impacts}

^{$20 billion to $30 billion :}

the global estimated cost of cyber extortion annually.

^{Ransom demands, financial losses resulting from business disruption and the loss of affected clients, as well as the costs of remediation, crisis management and regulatory fines.}

^{Reputational impacts}

^{60 %}

Is the ratio of clients losing their trust after a ransomware attack.

^{In the wake of a ransomware attack, other collateral damages are at stakes: the loss of trust among clients and partners alike, the lack of crisis management and media coverage of the incident, shedding a negative light. Even if a company can recover from an attack, the reputational cost may prove more damaging in the long term.}

^{Legal impacts}

^{72h :}

is the window frame to report the incident.

^{Businesses must report any breach to competent authorities and notify their clients if sensitive data has been compromised. They may be held liable in the event of negligence and often need to strengthen their compliance measures following a ransomware attack}

^{Human impact}

^{Crisis management in the event of cyber extortion – from a technical, commercial, legal and reputational perspective – places considerable pressure upon the shoulders of the organization’s staff, particularly the IT teams. This is all the more true if the attack involves a leak of personal data}

“They act like the mafia in a way, and that’s what unsettles people the most. These cybercriminals are not after people. They are after their money”.

— Frédéric Zink, Cyber with Telco Business Unit Director, Orange Cyberdefense.

“And If we pay the ransom, is this going to put and end to our problems? We took the decision not to give in and rebuild our infrastructure from the ground up”.

— Joseph Veigas, Coaxis CEO.

“We must protect ourselves more proactively. Gaining and maintaining digital hygiene is a must. If people are not properly trained and well aware of the cyber risks, that’s where the main vulnerability is”.

— Hugues Foulon, Orange Cyberdefense CEO, Orange Executive Director.

“Good news is that we had backups isolated from the network, whom the attackers didn’t have access to. This key asset allowed Coaxis, through considerable effort, to get back on their feet”.

— Rodrigue Le Bayon, Orange Cyberdefense Executive.

"We are observing the uberization of ransomware attacks".

— Micode, Content creator - “Micode” and “Underscore_” Youtube channels.

^{Preventing a ransomware attack}

How to anticipate

a cyber extortion attack?

In most cases, the starting point of a cyberattack is human error. However, it can also stem from poorly secured access, outdated software, or privileges that have not been revoked…

Our recommendations:

Train your staff on phishing tactics and identity theft;
Identify your vulnerabilities: carry out an initial audit to identify your weaknesses and implement the relevant technical and human resources;
Introduce regular audits to monitor your security levels;
Ensure your business complies with regulatory cybersecurity requirements (NIS 2, CRA, DORA, MiCA, etc.);
Establish a cybersecurity policy for your suppliers;
Equip yourself with an efficient protection tool such as EDR, XDR or MDR;
Also equip yourself with a detection and remediation solution, such as Micro-SOC or Global SOC, depending on whether you are an SME or a large organization.

^{How to handle a ransomware attack}

What is the plan

should this situation arise?

If you fall victim to a cyber extortion attack, we recommend taking several steps to contain the crisis, minimize the damage and resolve the situation.

^{First 24 hours}

^Containment

The first step is to identify and isolate infected systems to limit the spread.

^{Within 72 hours}

^{Report the attack}

Report the attack to the local authorities within 72 hours.

^{Day 1 to Day 7}

^Communicate

Inform your customers and partners should sensitive data is involved;
Manage your internal and external communications to limit the impact of trust loss. Provide clear and transparent information.

^{Day 7 to Day 30}

^{Remediation phase}

Implement remediation actions to restore your systems, via a backup or reconstruction;
Identify the causes and path of the attack. Once your system’s weaknesses have been identified, make the necessary technological and human investments to strengthen your cybersecurity.

This is a true story

that could have happened to any business…

Discover an insider look at how a company faced and responded to a ransomware attack.

Watch out for the film

^{Orange Cyberdefense is the leading provider of cybersecurity services in Europe. With more than 30 years of expertise developed within the Orange Group, we independently deliver solutions covering managed services, consulting, and IT integration.}

Visit the website