Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram

How Does Ransomware Work? The Attack Chain

Ransomware
_ _ Tech Jacks Solutions_ 0 Comments
Security / ransomware

How Does Ransomware Work? The Attack Chain

Modern ransomware is not a single moment when files lock up. It is the last step of a planned operation that often runs for days or weeks before anyone sees a ransom note. Understanding that chain, from the first foothold to the final extortion, is what lets you break it before encryption ever happens.

MITRE ATT&CKAttack chain6 stagesDouble extortion4 min readUpdated Jun 2026

Modern ransomware is not a single moment when files lock up. It is the last step of a planned operation that often runs for days or weeks before anyone sees a ransom note. Understanding that chain, from the first foothold to the final extortion, is what lets you break it before encryption ever happens.

The encryption you fear is the easy part for the attacker. The dangerous work happens quietly, long before.

01

The attack chain, stage by stage

The attack chain, stage by stage
Initial access. Attackers get in through phishing, exposed or poorly secured RDP and VPNs, or unpatched vulnerabilities in internet-facing devices. Initial access brokers often sell this foothold to ransomware affiliates.
Execution and persistence. Rather than custom malware, attackers often live off the land, hijacking built-in tools like PowerShell and WMI to blend in. They add scheduled tasks and registry changes so their access survives a reboot.
Privilege escalation. Attackers aim for domain administrator rights, targeting Active Directory. They use credential dumping (such as from LSASS memory), pass-the-hash, and Kerberoasting to get the keys to the kingdom.
Lateral movement. With admin credentials, attackers move across the network to find high-value data and the backup infrastructure, abusing legitimate protocols like SMB, RDP, and tools like PsExec and WinRM.
Defense evasion and exfiltration. Before going loud, they disable EDR, clear logs, and delete shadow copies and backups. They archive sensitive data and exfiltrate it to attacker-controlled storage using tools like rclone.
Encryption and impact. The payload is deployed across the network, often via PsExec or Group Policy. Strong cryptography locks files, ransom notes are dropped, and business operations halt.

These operations map closely to the Cyber Kill Chain and MITRE ATT&CK. Each stage sets up the next, which is also where each stage offers a chance to detect and stop the attack.

02

The shift to extortion

Extortion modelHow it pressures the victim
Double extortionEven if you can restore from backups, attackers threaten to publish the data they stole on a dark web leak site unless you pay.
Triple extortionAdds a third lever: DDoS attacks, harassment of your customers and partners, or threats to report the breach to regulators.
Encryption-less extortionSome groups skip encryption entirely and extort the victim purely on the threat of leaking stolen data.

For years, good backups were the answer to ransomware: restore and move on. Attackers adapted. Now they steal your data before they encrypt it, so paying becomes about silence, not just decryption.

This is why modern ransomware operators behave like extortion businesses, stacking several forms of pressure at once.

[[INSIGHT: By the time files encrypt, the attacker has usually been inside for days, has already stolen your data, and has deleted your backups. The fight is won or lost in the quiet stages, not at the ransom note.]]

Key takeaways
  • Ransomware is the final stage of a longer intrusion, not a single event.
  • Common entry points are phishing, exposed RDP and VPNs, and unpatched internet-facing systems.
  • Attackers escalate to domain admin, move laterally, and delete backups before encrypting.
  • Data is stolen first, so double extortion works even against good backups.
  • Every stage is a chance to detect and break the chain before encryption.
FAQ

Frequently asked questions

How does ransomware get into a network?

Most commonly through phishing, exposed or weakly secured RDP and VPNs, or unpatched vulnerabilities in internet-facing devices. Specialized initial access brokers also sell footholds to ransomware affiliates.

Why do attackers steal data before encrypting it?

For leverage. Even if you can recover from backups, attackers threaten to publish the stolen data unless you pay. This is called double extortion.

What is living off the land?

Using legitimate built-in tools like PowerShell and WMI instead of custom malware, so the activity blends in with normal administration and is harder to detect.

Why do attackers target Active Directory?

Compromising Active Directory and gaining domain administrator rights gives attackers control across the environment, letting them disable defenses and deploy ransomware everywhere at once.

Written and reviewed by Tech Jacks Solutions Security Practice. Incident response and threat research practitioners.
Primary source: Cyber Kill Chain and MITRE ATT&CK ransomware lifecycle. Last reviewed June 2026.

Author

Tech Jacks Solutions

Leave a comment