Ransomware is not a single piece of malware. It is a business model. Criminal groups operate as professional organisations with developers, affiliates, negotiators, and customer service teams. Understanding how the attack actually works - from the initial foothold to the ransom demand - makes it much easier to understand where the defensive controls sit and why they work.
Stage 1: Initial Access
👉 Entry PointRansomware groups get in through one of a small number of reliable vectors. In order of prevalence:
- Phishing email - a credential-harvesting email or an attachment/link that drops malware. Still the most common initial access vector.
- Exposed RDP - Remote Desktop Protocol open to the internet on port 3389 is routinely scanned and brute-forced. Credentials are often purchased from initial access brokers who specialise in finding and selling RDP access.
- Unpatched vulnerabilities - public-facing systems running outdated software with known CVEs. VPN appliances, firewalls, and web applications are common targets.
- Supply chain compromise - a trusted vendor or software tool is compromised and used as a vector into the target. Less common but increasingly prevalent.
- Purchased access - initial access brokers sell network access to ransomware affiliates. The broker finds the way in, the ransomware group buys it and handles the encryption and extortion.
Stage 2: Persistence and Reconnaissance
🔎 ReconAfter gaining initial access, modern ransomware operators do not immediately encrypt. They spend time - sometimes days or weeks - conducting reconnaissance and establishing persistence. This is why the dwell time between initial access and encryption can be significant.
During this phase, attackers typically:
- Dump credentials from memory using tools like Mimikatz
- Identify domain admin accounts and target them specifically
- Map the network - what servers exist, where backups are stored, what backup solutions are running
- Identify crown jewel data that can be used as leverage for double extortion
- Exfiltrate data before encryption begins (so they can threaten to publish it even if the victim has backups)
- Establish multiple persistence mechanisms so they can return if one is removed
This reconnaissance phase is when a capable EDR or SIEM has the best chance of detecting and stopping an attack. Mimikatz, pass-the-hash attempts, and network scanning all generate detectable signals.
Stage 3: Lateral Movement
🔗 Lateral MovementFrom the initial compromised endpoint, attackers move across the network to reach higher-value targets - domain controllers, file servers, backup systems, and management platforms. Common techniques include:
- Pass-the-hash - using credential hashes rather than plaintext passwords to authenticate to other systems
- PsExec and WMI - legitimate Windows tools used to execute commands on remote systems
- Abusing admin shares - using compromised admin credentials to access C$ and other administrative shares
- Living off the land - using built-in Windows tools (PowerShell, certutil, wscript) rather than custom malware to avoid detection
Network segmentation is the primary defence here. If the compromised endpoint cannot reach the file server directly, lateral movement is slowed or stopped entirely. See the network segmentation guide for the practical setup.
Stage 4: Encryption and Extortion
🔒 EncryptionOnce the attacker has domain admin or equivalent access and has reached backup systems (which they typically try to delete or encrypt first), they deploy the ransomware payload. Modern ransomware uses strong encryption - typically AES-256 for file encryption with RSA-4096 for the key - making decryption without the key computationally infeasible.
Modern ransomware operations run two extortion levers:
Encryption extortion: Pay to get the decryption key. Without it, encrypted files are unrecoverable without either the key or a clean backup.
Data extortion: Data exfiltrated during the reconnaissance phase is threatened to be published on a leak site if the ransom is not paid. This is effective even against organisations with good backups, because the issue is not recovery - it is the threat of sensitive data becoming public.
The Three Things That Stop It
✅ Effective Controls1. MFA on everything
A significant proportion of ransomware attacks begin with compromised credentials - either phished or purchased from a broker. MFA means a stolen password alone is not enough to authenticate. This closes the most common initial access vector and is the single highest-impact control you can deploy.
2. Offline or immutable backups
Ransomware operators specifically target and destroy backup systems before triggering encryption. If backups are reachable from the compromised network, they will be encrypted or deleted. Backups need to be either offline (physically disconnected, air-gapped) or immutable (cannot be modified or deleted for a defined period, even by an admin). Cloud backup solutions with immutability enabled satisfy this. See the cloud sync is not a backup guide for why Dropbox and Google Drive do not count.
3. EDR and network segmentation
An Endpoint Detection and Response platform monitoring behavioural signals (credential dumping, network scanning, admin tool abuse) gives you a fighting chance of detecting an attack during the reconnaissance phase - before encryption is triggered. Network segmentation limits lateral movement so that even if one endpoint is compromised, the attacker cannot freely reach file servers and backup systems. Neither control alone is sufficient. Together, they significantly increase the cost and difficulty of a successful attack.