A ransomware attack is not a single event. It is a campaign that typically unfolds over days to weeks between initial compromise and encryption. Attackers spend most of that time establishing persistence, escalating privileges, disabling backups, and mapping the network. Encryption is the last step, not the first.
Analysis Briefing
- Topic: Ransomware attack chain from initial access to encryption and recovery
- Analyst: Mike D (@MrComputerScience)
- Context: A research sprint initiated by Claude Sonnet 4.6
- Source: Pithy Cyborg | AI News Made Simple
- Key Question: What are attackers doing in your network for days before they hit encrypt, and how do you stop them?
The Attack Chain: Initial Access to Lateral Movement
Initial access happens through one of three dominant vectors. Phishing emails with malicious attachments or links deliver loaders that establish a command-and-control (C2) channel. Exposed RDP (Remote Desktop Protocol) services are brute-forced or accessed with purchased credentials from previous breaches. Unpatched internet-facing software (VPN appliances, Exchange servers, Citrix gateways) is exploited with known CVEs, often within days of public disclosure.
After initial access, the attacker deploys a remote access tool (Cobalt Strike, Sliver, Brute Ratel) and establishes persistence via scheduled tasks, registry run keys, or WMI subscriptions. The goal at this stage is to survive a reboot and avoid detection long enough to complete the mission.
Lateral movement uses legitimate Windows tools to avoid triggering endpoint detection. Pass-the-hash, pass-the-ticket, and Kerberoasting harvest credentials from memory and Active Directory. PsExec, WMI, and PowerShell remoting move those credentials to new systems. Attackers target domain controllers because compromising AD gives them the ability to generate authentication tickets for any account in the domain.
Exfiltration, Backup Destruction, and the Encryption Phase
Modern ransomware operations are double extortion: they exfiltrate data before encrypting it. Exfiltration happens slowly to avoid triggering data loss prevention alerts, often via encrypted channels to cloud services (MEGA, rclone to S3). The exfiltrated data is the leverage for the second threat: pay or we publish your data publicly.
Before deploying ransomware, attackers specifically target backup systems. Veeam backup servers, Windows Volume Shadow Copies, and cloud backup credentials stored on-premises are deleted or corrupted. The attacker’s goal is to ensure that the victim has no recovery path that does not involve paying.
vssadmin delete shadows /all /quiet is among the most reliable indicators of pre-ransomware activity in Windows event logs. Its presence in process creation logs means ransomware deployment is imminent or already underway.
Encryption itself uses hybrid cryptography. A symmetric key (AES-256) encrypts files for speed. The symmetric key is encrypted with an attacker-controlled asymmetric key (RSA-2048 or elliptic curve). The victim’s files are inaccessible without the attacker’s private key. Well-implemented ransomware encryption is mathematically unbreakable without that key.
Detection Windows and Defensive Priorities
The dwell time between initial compromise and encryption averages 9 to 14 days according to incident response data from Mandiant and CrowdStrike. That is the detection window.
The highest-leverage defensive controls in order of impact:
Phishing-resistant MFA eliminates the credential theft vector. Attackers who cannot harvest valid credentials through phishing cannot use pass-the-hash or Kerberoasting at scale.
Endpoint Detection and Response (EDR) on all workstations and servers with behavioral rules for Cobalt Strike beacon patterns, suspicious LSASS access, and shadow copy deletion creates detection opportunities during the lateral movement phase.
Immutable backups stored offline or in a write-once cloud storage tier (AWS S3 Object Lock, Azure Immutable Blob Storage) with no credentials accessible from on-premises systems survive backup destruction because the attacker cannot reach the credentials needed to delete them.
Network segmentation limits blast radius. A compromised workstation that cannot reach backup servers directly, cannot initiate connections to domain controllers without going through a monitored segment, and cannot reach production databases except through the application tier is a constrained foothold, not a master key.
What This Means For You
- Deploy immutable backups before anything else, because recoverable backups remove the attacker’s leverage entirely, and every other defensive control becomes less critical when you can restore without paying.
- Alert on
vssadmin delete shadowsin your EDR immediately, because shadow copy deletion is an unambiguous ransomware precursor and its presence gives you hours to isolate affected systems before encryption starts. - Treat exposed RDP as an emergency, because internet-exposed RDP is consistently in the top two initial access vectors in ransomware incidents and disabling it or putting it behind a VPN with MFA eliminates a massive attack surface.
- Tabletop your ransomware response annually with the people who would actually execute it, because incident response plans that have never been practiced produce paralysis during an actual event, and the time to discover that your backup restoration procedure takes 72 hours is not during an active incident.
Enjoyed this deep dive? Join my inner circle:
- Pithy Cyborg | AI News Made Simple → AI news made simple without hype.