Most people encounter ransomware at the end of the chain — the desktop wallpaper is replaced, the files are gone, the ransom note is everywhere. That moment feels sudden, but it isn't. What the user experienced as instant was the product of a process that could have taken minutes or weeks, depending on the variant and the attacker's objectives.
Understanding the full sequence matters not because it's academically interesting, but because every phase of the chain has a corresponding defensive opportunity. If you know where attacks move, you know where to look and what to harden.
Phase 1: Initial Access
The entry point is almost always one of three things: a malicious email attachment or link, an exposed and vulnerable service (RDP and VPNs without MFA are perennial favorites), or compromised credentials obtained from a previous breach.
The phishing route remains dominant because it's cheap, scalable, and targets the most difficult-to-patch component in any organization — the human. A convincing email asking a user to review a shared document, confirm an invoice, or reset a password is all it takes to get a malicious file executed on an endpoint inside the network perimeter.
External services are the second major vector. An RDP port exposed to the internet with weak or reused credentials is an open invitation. Attackers actively scan for these using automated tools, which means your exposed services will be found and tested within hours of going online.
Phase 2: Execution
Once the attacker has a foothold — whether through a macro-enabled document, a malicious link, or direct access to a service — code runs. In many modern ransomware campaigns, the initial execution doesn't immediately launch ransomware. Instead, it drops a loader or a reconnaissance tool designed to gather information about the environment: network topology, accessible shares, domain membership, backup configurations.
This is where defenders often have their best window. Behavioral detection tools that flag unexpected script execution, unusual process chains, or anomalous network scanning activity can catch this phase before encryption begins.
Phase 3: Privilege Escalation and Lateral Movement
Standard user-level access is limiting. Ransomware that only encrypts one user's documents causes limited damage. Attackers want domain admin — access to the entire Active Directory, every file server, every networked backup.
This phase involves exploiting local privilege escalation vulnerabilities, harvesting credentials from memory or from configuration files, and moving laterally across the network to reach higher-value systems. Compromised credentials are often used to authenticate to other machines over legitimate management protocols, making this activity genuinely hard to distinguish from normal administrative traffic without behavioral baselines.
Phase 4: Defense Evasion and Backup Sabotage
Before encryption, sophisticated ransomware operators will:
- Disable or tamper with security tools — antivirus, EDR agents, logging services
- Delete Volume Shadow Copies — Windows' built-in local backup mechanism, which is the most common first-response recovery option
- Target backup solutions — if backup agents are running on compromised machines, their repositories are often accessible and therefore encryptable
- Clear event logs — to slow forensic investigation after the fact
This phase is often what separates an incident that's recoverable in hours from one that takes weeks. An organization with offline, isolated backups survives this. One where all backups were accessible from domain-joined machines may not.
Phase 5: Encryption
The encryption itself is technically sophisticated. Modern ransomware uses asymmetric cryptography: a public key (which the attacker controls) encrypts a per-file symmetric key, which in turn encrypts the file content. The only way to reverse this without the attacker's private key is to break the cryptography, which is computationally infeasible for well-implemented schemes.
The encryption process prioritizes: document files, spreadsheets, databases, images, and other high-value user data. It typically skips system files needed to keep the OS running — the machine needs to stay functional enough to display the ransom note.
File extensions are renamed, the ransom note is written to every affected directory, and the desktop wallpaper is changed to maximize psychological impact. The machine is technically operational. All your data is gone.
Phase 6: Extortion
Modern ransomware groups typically operate a double extortion model: they encrypt your files and exfiltrate copies before doing so. The ransom demand therefore includes both a decryption key and a promise not to publish the stolen data.
This changes the calculus significantly. Even an organization with perfect backups faces potential exposure of sensitive customer or business data if exfiltration occurred during the lateral movement phase.
Where the Chain Can Be Broken
| Phase | Defensive Control |
|---|---|
| Initial Access | Email filtering, phishing training, MFA on external services |
| Execution | Macro policies, application whitelisting, EDR behavioral detection |
| Lateral Movement | Network segmentation, least privilege, credential hygiene |
| Backup Sabotage | Offline/immutable backups, backup systems off domain |
| Encryption | Rapid detection via file activity monitoring, endpoint isolation |
No single control stops every attack. The value of understanding the chain is knowing which controls address which phases — and building defense-in-depth accordingly.