A ransomware incident, despite how it looks from the outside, is rarely the moment the screen lights up with a ransom note. By the time the encryption fires, the attackers have usually been inside the network for days or weeks, have already stolen the data they need to extort with, and have already broken whatever recovery options the victim thought they had. Understanding the full attack lifecycle, and the choke points that exist at each stage, is the difference between an incident that is contained and one that becomes a front-page disaster.
Stage 1: Initial access
Almost every ransomware intrusion begins with one of three categories of foothold:
- Compromised credentials. Stolen, phished, or brute-forced logins for VPNs, remote desktops, single sign-on portals, and cloud admin consoles. Initial-access brokers buy and sell these in bulk on Russian-language forums.
- Edge-device exploitation. Unpatched VPN concentrators, firewalls, file-transfer appliances, and email gateways. The Cl0p group built much of its 2023 success on a single zero-day in MOVEit Transfer.
- Phishing and malware loaders. Malicious attachments and links that drop loaders such as Qakbot, IcedID, or Emotet, which in turn fetch a hands-on-keyboard toolkit.
For defenders, this is the highest-leverage stage. Multi-factor authentication on every external service, prompt patching of internet-facing systems, and modern email security stop a majority of intrusions before they ever start.
Stage 2: Establishing a foothold
Once inside, the operator deploys command-and-control. Cobalt Strike beacons remain the workhorse despite years of detection investment, alongside Sliver, Brute Ratel, and increasingly bespoke implants. They will also drop legitimate remote-management tools, AnyDesk, Atera, Splashtop, ScreenConnect, because these blend in with what an IT department would actually run, and most environments do not block them by default.
Stage 3: Reconnaissance
Now the attacker maps the environment. They enumerate Active Directory with tools like AdFind, BloodHound, and SharpHound; identify domain controllers, file servers, backup servers, and hypervisors; pull lists of privileged users; and look for documentation that names crown-jewel systems. They are explicitly looking for two things: the data that will hurt most when stolen, and the infrastructure that will hurt most when encrypted.
Stage 4: Privilege escalation
To do real damage, the operator needs domain administrator or equivalent privileges. They get there by harvesting credentials from memory (Mimikatz, LSASS dumping), abusing Kerberoasting, exploiting misconfigured Active Directory Certificate Services, dumping the NTDS.dit file, or finding a privileged account whose password is in a script on a file share. Modern endpoint protection makes Mimikatz noisier than it used to be, but determined operators still get there reliably.
Stage 5: Lateral movement
With elevated rights, the attacker spreads. The standard toolkit is overwhelmingly built on legitimate Windows administration: PsExec, WMI, WinRM, PowerShell remoting, scheduled tasks, Group Policy. This is sometimes called "living off the land," and it is what makes ransomware operators so hard to spot on a network that is already noisy with legitimate admin activity.
Stage 6: Data exfiltration
This is the stage the public still underestimates. Before any encryption happens, the operator stages the data they want to steal, financial records, customer PII, source code, executive email, contracts, and exfiltrates it to attacker-controlled storage. Common channels include Rclone to cloud storage providers (Mega, AWS S3, BackBlaze), MegaSync, FileZilla over FTP, and increasingly direct uploads to bulletproof hosts. Volumes can range from gigabytes to many terabytes, and exfiltration can take days. Network egress monitoring is one of the most underused detection opportunities a defender has.
Stage 7: Backup destruction
Before the payload runs, backups die. Volume Shadow Copies are deleted with vssadmin or wmic. Windows Server Backup catalogs are wiped. Veeam, Commvault, and similar backup servers are specifically targeted, operators harvest credentials from their consoles, log in, and either delete or encrypt their repositories. Cloud snapshots get the same treatment if cloud-admin keys are available. The point is to remove every option except paying.
Stage 8: Encryption
Now the ransomware payload is deployed at scale, typically through Group Policy, PsExec, or by pushing to ESXi hypervisors directly. Modern lockers use a hybrid scheme: a per-file symmetric key (AES or ChaCha20) encrypts each file, and that key is wrapped with a public-key algorithm (RSA-2048, RSA-4096, or Curve25519) whose private half lives only on attacker infrastructure. Many families partial-encrypt large files for speed, encrypting only headers or interleaved chunks, enough to make the file useless without decryption, fast enough to finish before defenders can react. ESXi versions encrypt VMDK files directly, taking out hundreds of virtual servers in minutes.
Stage 9: The ransom note
Notes are dropped in every directory and often as desktop wallpaper. They direct victims to a Tor-based negotiation portal, with a unique ID, a chat interface, and a countdown clock. The portal is staffed; modern operators run it like a B2B sales channel, with "discounts" for fast payment, "proofs" of data, and sample decryptions of a few files to demonstrate that decryption is possible.
Stage 10: Extortion and post-exploitation
If the victim refuses to pay, the operator escalates. Stolen data is teased on the group’s leak site, then published in increments. Some groups call customers and journalists directly, send emails to employees, or launch DDoS attacks against the victim’s public services. A few have begun reporting victims to data-protection regulators and stock-market disclosure regimes to manufacture additional pressure.
If the victim does pay, they receive a decryptor, usually buggy, often slow, occasionally broken, and a promise that the stolen data has been deleted. That promise is essentially never verifiable, and recidivism is common: roughly a third of victims who pay are hit again, sometimes by the same group under a different brand.
Where the kill chain breaks
The good news for defenders is that this is a long chain and every link is an opportunity. MFA breaks Stage 1. EDR with credential-theft protection breaks Stage 4. Network segmentation and tiered admin models break Stage 5. Egress monitoring catches Stage 6. Immutable, offline, tested backups make Stage 7 fail. And a rehearsed incident-response plan turns a Stage 9 ransom note from a corporate crisis into a manageable Tuesday.