Image Source: Designed by Freepik
A single employee clicks on an email attachment at 9:47 AM. By 10:15 AM, your entire network is encrypted. Ransomware moves this fast because attackers spend weeks preparing before you ever see a ransom note.
Here’s what most security guides miss: ransomware isn’t a single attack. It’s a seven-stage process that criminals have perfected through thousands of successful breaches. IBM’s 2025 Cost of a Data Breach Report shows that these attacks now cost businesses an average of $4.4 million.
We analyzed the attack chain used in major ransomware incidents, from initial breach to final encryption, to show you exactly what happens at each stage. This breakdown reveals where criminals are most vulnerable and where your defenses matter most.
You’ll learn what attackers do during their weeks inside your network, why they target specific systems first, and which defensive measures actually stop them. No fluff. Just the attack sequence security teams need to understand.
Stage 1: The Initial Access – How Attackers Get In
Criminals need a way into your network first. They use several proven methods.
The phishing email scheme remains the top entry point. An employee receives what seems to be a legitimate invoice or shipping notification. They click the malicious link or download the attachment. That single click gives attackers a foothold.
Exploit kits target software vulnerabilities. If your team hasn’t patched a known security flaw, attackers scan for it and exploit it. They automate this process to hit hundreds of targets quickly.
RDP attacks occur when the Remote Desktop Protocol is exposed to the internet. Attackers run automated tools that try thousands of random password combinations until they find one that works.
Compromised credentials come from previous breaches. Criminals buy username and password lists on dark web markets. They try these credentials across multiple services because people reuse passwords.
Supply chain attacks sneak through trusted vendors. An attacker compromises a software provider or service partner, then uses that relationship to access customer networks.
The key lesson here: attackers have multiple doors to try. Your defense needs to cover all of them. To understand how does ransomware work step by step, let’s examine what happens after attackers gain that initial foothold.
Stage 2: Establishing Persistence
Getting in once isn’t enough. Attackers need to stay in even if the system reboots or someone logs them out.
They modify Windows registry keys to launch their tools automatically at startup. They create scheduled tasks that run malicious scripts at specific times. Some attackers add new user accounts with admin privileges or change existing account permissions.
These persistence mechanisms work quietly in the background. Most users never notice them. The attackers can now disconnect and reconnect at will.
Modern ransomware groups use “living off the land” techniques. They abuse legitimate Windows tools like PowerShell and WMI instead of dropping obvious malware files. This makes detection much harder.
Stage 3: Privilege Escalation
Next, attackers need higher privileges so they can change systems, access more data and avoid detection.
Why higher privileges matter: With admin or domain-admin rights, attackers can disable security controls, access backup systems, and deploy ransomware widely.
Common escalation techniques include:
- Exploiting local vulnerabilities (unpatched OS or application bugs) to elevate privileges.
- Credential dumping tools (e.g., Mimikatz) to extract passwords, hashes, and tokens from memory.
- Token manipulation and impersonation to assume higher-privilege identities.
The move from a regular user to an admin or domain admin multiplies the potential damage an attacker can cause. Systems, backups, and domain controllers become reachable.
Stage 4: Lateral Movement and Discovery
Attackers spend days or weeks mapping your environment. They identify domain controllers, file servers, backup systems, and databases. They scan for other connected systems and look for paths between them.
They use network-scanning tools to build a comprehensive picture of your infrastructure. They identify which systems hold the most valuable data. They locate your backup systems because those are priority targets.
Moving between systems happens through several methods:
- Pass-the-hash attacks let them authenticate without knowing the actual passwords
- Remote execution tools like PsExec allow them to run commands on other machines
- They exploit trust relationships between systems and domains
Security researchers call the time attackers spend inside your network before launching ransomware the “dwell time.” According to the 2025 Sophos Active Adversary Report, the dwell time dropped to 2 days.
During this phase, attackers also disable or uninstall security software. They delete backup files and snapshots. They want to remove your recovery options before the final ransomware attack.
Stage 5: Data Exfiltration – The Double Extortion Tactic
Modern ransomware groups don’t just encrypt files anymore. They steal your data first. They copy sensitive information to external servers before encryption is launched. This includes financial records, customer data, employee information, intellectual property, and confidential communications.
Exfiltration occurs through encrypted channels to avoid detection. They upload data to cloud storage services, use FTP transfers, or route traffic through compromised servers.
Why steal data?
It gives them double leverage. Pay the ransom, or they will release your data publicly. Even if you restore from backups, they still pose a risk of leaking everything.
This tactic puts massive pressure on victims. The encryption might cause operational problems, but the data leak creates legal and reputational disasters.
Stage 6: Encryption Deployment
After weeks of preparation, attackers launch the encryption attack. Modern ransomware moves fast.
The malware uses strong encryption algorithms to lock files. It targets specific file types: documents, databases, images, and backups. It spreads across mapped network drives and connected systems simultaneously.
Some ransomware groups deploy encryption in stages. Others hit everything at once. The goal is to encrypt as much as possible before security teams respond.
The entire process can take minutes. By the time staff arrive at the office, thousands of systems sit locked with ransom notes displayed on every screen.
Those ransom notes include payment instructions, cryptocurrency wallet addresses, and deadlines. They provide links to dark websites where victims negotiate with attackers.
Stage 7: Ransom Negotiation and Recovery
Victims face a difficult choice. Pay or don’t pay.
If they choose to negotiate, they communicate through encrypted chat systems on the dark web. Attackers demand payment in Bitcoin or Monero. Ransom amounts range from thousands to millions of dollars, depending on the victim’s size and ability to pay.
Payment doesn’t guarantee file recovery. Some ransomware groups provide working decryption tools. Others provide broken tools or disappear after receiving payment.
There’s no customer service for ransomware victims.
Recovery options include:
- Restoring from clean backups if they exist and weren’t compromised
- Using free decryption tools when available for older ransomware variants
- Rebuilding systems from scratch
- Working with law enforcement and cybersecurity firms
Most security experts and law enforcement agencies recommend against paying. It funds criminal operations and encourages more attacks.
Prevention and Detection Strategies
Preventing ransomware requires a multi-layered security approach. Here are key strategies relevant to organizations:
| Control | Description |
| Network segmentation | Isolate critical systems (backup servers, domain controllers) to prevent attackers from moving freely across the network |
| Endpoint protection and EDR | Deploy tools to detect unusual processes, privilege escalation, credential misuse, and lateral movement |
| Email security and filtering | Use strong email filters, scan links and attachments, and train users on phishing awareness |
| Zero-trust architecture | Assume no user/device is trusted by default; verify identity and limit access to necessary resources |
| Regular patching and updates | Keep software updated to close exploitable vulnerabilities |
| Backup strategies | Follow 3-2-1 rule: 3 copies, 2 media types, 1 off-site; use immutable or air-gapped backups |
| Security awareness training | Train employees on phishing recognition, credential hygiene, and safe behaviors |
| Incident response planning | Develop and test plans for ransomware response, including isolation, communication, and law enforcement contacts |
Combining these controls reduces compromise risk, shortens dwell time, enhances detection, and improves recovery assurance.
Conclusion
Ransomware attacks follow a predictable pattern. Attackers break in, establish persistence, escalate privileges, map your network, steal sensitive data, and finally deploy encryption.
Each stage takes time and leaves traces. That gives you opportunities to detect and stop attacks before they cause damage. Understanding the complete attack chain helps you build defenses that actually work.
Review your current security posture against each stage discussed here. Find the gaps and fix them. The criminals are already planning their next attack.