Ransomware is no longer a simple piece of malware that encrypts your files and demands Bitcoin. Modern ransomware attacks are sophisticated multi-stage operations that can spend weeks inside a network before triggering — and by the time the ransom note appears, the damage is already done.
Understanding exactly how these attacks unfold is the first step to stopping them.
The Modern Ransomware Attack Lifecycle
Stage 1: Initial Access (Days 1–3)
Attackers need a foothold. The most common entry points in 2026:
Phishing emails (35% of incidents) A malicious attachment or link delivers a dropper that establishes a beachhead. Modern phishing uses AI-generated content that passes spam filters and is indistinguishable from legitimate business email.
Exposed RDP (27% of incidents) Windows Remote Desktop Protocol exposed to the internet is a primary entry point. Attackers scan the entire internet continuously — your RDP server will be found within minutes of being exposed. Default or weak credentials are brute-forced.
# What attackers see within 60 seconds of you opening RDP to the internet:
[*] Scanning for open RDP (port 3389)...
[*] Found: 203.0.113.45:3389
[*] Attempting credential pairs from 2024-2025 breach databases...Vulnerabilities in internet-facing systems (21% of incidents) Unpatched VPNs, firewalls, and web servers are scanned and exploited automatically. The Ivanti vulnerabilities in early 2026 were weaponised within 48 hours of disclosure.
Compromised credentials from third parties (17% of incidents) Credentials purchased on dark web markets from previous breaches, or stolen from a compromised vendor with access to your network.
Stage 2: Persistence and Privilege Escalation (Days 3–14)
Once inside, attackers establish persistence (so they survive reboots and discovery) and escalate privileges to administrator or domain admin level.
Common persistence mechanisms:
- Scheduled tasks that run the C2 agent every 15 minutes
- Registry run keys
- Services that auto-start on boot
- Legitimate tools like AnyDesk or TeamViewer installed as a secondary backdoor
Privilege escalation techniques:
- Kerberoasting — requesting Kerberos tickets for service accounts and cracking them offline
- Pass-the-Hash — capturing and reusing NTLM password hashes without knowing the plaintext
- Local admin password reuse — if one machine uses the same local admin password, it’s game over for lateral movement
- Exploiting unpatched local vulnerabilities (PrintNightmare, noPac, etc.)
Stage 3: Reconnaissance and Lateral Movement (Days 14–30)
With elevated privileges, attackers map the network — finding valuable data, backup systems, domain controllers, and security tools to disable.
Tools commonly seen in this phase:
- BloodHound: Maps Active Directory and identifies the shortest path to domain admin
- Cobalt Strike / Brute Ratel: Commercial C2 frameworks used by both red teamers and criminals
- Mimikatz: Extracts credentials from memory
- Advanced IP Scanner / nmap: Discovers all hosts on the network
The goal of this phase is to answer three questions:
- Where is the sensitive data?
- Where are the backups?
- What security tools are present and how do I disable them?
Stage 4: Data Exfiltration (Days 25–35)
Modern ransomware groups steal data before encrypting it — this is the “double extortion” component. Gigabytes of sensitive files are quietly transferred to attacker-controlled cloud storage (often using legitimate services like Mega.nz or Rclone to avoid detection).
This data becomes leverage: pay the ransom, or we publish your customer records, financial data, and confidential communications on our leak site.
Exfiltration red flags:
- Unusually large DNS queries
- New outbound connections to cloud storage services outside business hours
- Large file transfers to unknown external IPs
- Activity from service accounts that don’t normally generate network traffic
Stage 5: Backup Destruction (Days 33–36)
This is the step that makes recovery impossible for unprepared organisations. Before triggering encryption, attackers:
- Delete Volume Shadow Copies on Windows (
vssadmin delete shadows /all) - Locate and encrypt or delete network-attached backup shares
- Destroy cloud backup configurations where credentials were found
- Disable backup agents and scheduled backup jobs
If your backups are accessible from a compromised network, they will be destroyed.
Stage 6: Deployment and Encryption (Day 36)
The final stage happens fast — typically outside business hours (Friday evenings are popular). The ransomware binary is pushed to all compromised systems simultaneously via Group Policy, PsExec, or the C2 framework.
Modern encryption optimisations:
- Intermittent encryption: Only encrypts every other 256KB block — still renders files useless but completes faster and generates less I/O (evading some monitoring tools)
- Targeting high-value extensions first: Documents, databases, and virtual machine files before everything else
- Killing processes: Databases, email servers, and backup agents are killed so their files can be encrypted
The ransom note appears. The clock starts.
The Business Cost
Average total cost of a ransomware attack (2026):
- Ransom payment: $1.6M (average paid, when paid)
- Downtime costs: $1.4M (average 21 days of disruption)
- Recovery costs: $2.2M (forensics, rebuilding, security improvements)
- Regulatory fines: Variable ($0 to $20M+)
- Reputational damage: Unquantifiable
Total average cost: $5.2M — not including reputational damage.
The Defence Playbook
Prevent Initial Access
Patch immediately. The majority of ransomware entry points exploit vulnerabilities that had patches available. Set up automatic updates. Subscribe to CISA’s Known Exploited Vulnerabilities catalogue.
Never expose RDP directly to the internet. Use a VPN or Cloudflare Zero Trust / Tailscale for remote access.
Email security:
✓ DMARC enforcement (p=reject)
✓ DKIM signing
✓ SPF record
✓ Email gateway with sandboxing (not just spam filtering)
✓ Staff training on phishing — quarterly simulationsMFA everywhere. Phished credentials are useless if MFA is required. Use hardware keys (FIDO2/WebAuthn) for admin accounts, authenticator apps for everyone else. Never SMS.
Limit Lateral Movement
Local Administrator Password Solution (LAPS): Randomises local admin passwords on every Windows machine so credential reuse is impossible.
Network segmentation: Workstations shouldn’t be able to talk directly to servers, and servers shouldn’t be able to talk to each other without a firewall rule. Flat networks allow ransomware to spread to every machine in minutes.
Privileged Access Workstations (PAWs): Admin tasks done only from dedicated machines not used for email and web browsing.
Disable legacy protocols: NTLM, SMBv1, and LM authentication are not needed in modern environments and are heavily abused in lateral movement.
The Backup Strategy That Survives Ransomware
The 3-2-1-1-0 rule:
- 3 copies of data
- 2 different media types
- 1 copy offsite
- 1 copy offline (air-gapped, disconnected from any network)
- 0 errors — test your restores monthly
Immutable backups: Cloud backup services that support immutability (AWS S3 Object Lock, Azure Blob immutable storage, Backblaze B2 Object Lock) prevent deletion even if admin credentials are compromised. This is the single most effective ransomware defence for SMBs.
Backup accounts isolation: The credentials used by backup software should exist only in the backup system’s configuration — never in Active Directory or accessible from domain admin accounts.
Detect Before Encryption
If you can detect the attack in Stages 1–4, you can stop it before encryption occurs.
What to monitor:
- New admin account creation
- Unusual service account activity or network connections
- Volume Shadow Copy deletion (immediate critical alert)
- Large outbound data transfers
- Lateral movement between workstations
- Security tool tampering or disablement
- BloodHound/Mimikatz-like activity patterns
Tools:
- Windows Event Logs + SIEM (Wazuh is free and capable for SMBs)
- EDR — CrowdStrike Falcon, SentinelOne, or Microsoft Defender for Endpoint
- Honeypot files — place obvious decoy Excel files named
Salaries_2026.xlsxon file shares; if they’re opened or accessed from an unusual account, alert immediately
If You’re Hit
- Isolate immediately — disconnect affected systems from the network (unplug ethernet, disable Wi-Fi)
- Do not shut down — forensic evidence (including possible encryption keys) exists in RAM; consult an incident response firm before rebooting
- Call your IR firm before paying the ransom — many have decryptors for known ransomware families
- Report to authorities — FBI IC3, CISA (US), NCSC (UK) — they track actors and may have intelligence that helps
- Do not pay if you have clean backups — payment funds further attacks and doesn’t guarantee decryption
Check for free decryptors at NoMoreRansom.org before considering payment.
Ransomware Families to Know in 2026
| Family | Status | Targets | Note |
|---|---|---|---|
| LockBit 4.0 | Active | All sectors | Rebuilt after law enforcement takedown |
| Cl0p | Active | Enterprise, MOVEit-style zero-days | Mass-exploitation focus |
| BlackSuit | Active | Healthcare, education | Royal ransomware rebrand |
| RansomHub | Active | All sectors | Largest RaaS affiliate programme |
| Akira | Active | SMBs | Targets Cisco VPN vulnerabilities |
Conclusion
Ransomware is a business. The groups behind it have revenue targets, HR processes, and customer service departments for ransom negotiation. Defending against it requires treating security as a business process too — not a one-time purchase.
The organisations that survive ransomware attacks in 2026 are those that: can’t be breached easily, can detect attackers early if they do get in, and can restore from immutable backups if encryption does occur. Build those three capabilities and ransomware becomes a nuisance rather than a catastrophe.