Ransomware has evolved from simple file encryption into a sophisticated, multi-stage criminal enterprise. Understanding the anatomy of a modern attack is the first step toward building effective defenses.
The Double-Extortion Model
Traditional ransomware encrypted your files and demanded payment for the decryption key. Modern ransomware groups have added a second layer: data exfiltration. Before encrypting, attackers steal sensitive data and threaten to publish it if the ransom isn’t paid.
This means that even organizations with perfect backups face significant risk — the threat isn’t just data loss, it’s data exposure.
Stage 1: Initial Access
The most common entry vectors in 2026 include:
- Phishing emails with weaponized attachments or links
- Exploiting unpatched VPN appliances (still the #1 vector for enterprise attacks)
- Compromised credentials purchased from dark web marketplaces
- Supply chain attacks through trusted software updates
The time from initial access to ransomware deployment has decreased dramatically. Some groups now move from foothold to full encryption in under four hours.
Stage 2: Lateral Movement
Once inside, attackers use legitimate system administration tools to move through the network. Tools like PowerShell, PsExec, and Remote Desktop Protocol (RDP) allow them to blend in with normal network traffic.
Key objectives during this phase:
- Identifying and disabling backup systems
- Escalating privileges to domain administrator
- Mapping high-value data stores
- Establishing persistence mechanisms
Stage 3: Exfiltration and Encryption
Before triggering the ransomware payload, attackers exfiltrate sensitive data to external servers. This process can take days or weeks, often using legitimate cloud storage services to avoid detection.
The encryption phase is typically launched during off-hours — weekends or holidays — when security teams are understaffed.
Why Backups Fail
Many organizations discover too late that their backup strategy has critical gaps:
- Online backups connected to the network are encrypted alongside production data
- Backup retention periods too short to recover from attacks that went undetected for weeks
- Untested restoration procedures that fail under the pressure of a real incident
- Backup credentials stored in Active Directory, which the attacker already controls
Building Resilient Defenses
Effective ransomware defense requires a layered approach:
- Implement the 3-2-1 backup rule: three copies, two different media types, one offsite
- Maintain air-gapped backups that are physically disconnected from the network
- Test your restoration procedures quarterly
- Deploy endpoint detection and response (EDR) tools
- Segment your network to limit lateral movement
The reality is that preventing 100% of attacks is impossible. The goal is to make your organization resilient enough to recover quickly and minimize the impact when — not if — an attack occurs.