🔍 The Modern Ransomware Threat Model

Ransomware isn’t just a smash-and-grab anymore—it’s a full-scale intrusion with reconnaissance, privilege escalation, data theft, and extortion. Today’s ransomware actors are organized, patient, and skilled at exploiting weak identity systems and unmonitored infrastructure.

This post breaks down the end-to-end tactics used in modern ransomware campaigns—so you can defend against them at every stage.

🧭 Stage 1: Initial Access

Attackers commonly get in through:

• Phishing: Malicious attachments, fake MFA prompts, or credential harvesting sites
• Remote Desktop Protocol (RDP): Exposed to the internet or accessed via stolen credentials
• Exploited vulnerabilities: VPN appliances, web apps, unpatched services (e.g., ProxyShell, Log4Shell)
• Supply chain: Compromised third-party software or vendors (e.g., Kaseya, SolarWinds)

Ransomware groups often purchase access from initial access brokers (IABs) who specialize in footholds.

🛠️ Stage 2: Reconnaissance and Credential Theft

Once inside, attackers map your environment and steal credentials:

• Scan for domain controllers, file shares, and backup infrastructure
• Use netstat, nltest, powershell, whoami to fingerprint the network
• Dump credentials from memory (e.g., LSASS) or steal cached tokens (e.g., from browsers or cloud agents)

Tools: Mimikatz, LaZagne, AdFind, BloodHound, SharpHound

🔓 Stage 3: Lateral Movement and Privilege Escalation

Next, attackers move laterally and escalate privileges to domain admin or cloud admin:

• RDP hopping or pass-the-hash with stolen credentials
• Exploiting unpatched local privilege escalation (LPE) flaws
• Compromising identity infrastructure (Active Directory, Okta, Entra ID)

Persistence is often set via GPO changes, scheduled tasks, or startup scripts.

📤 Stage 4: Exfiltration and Extortion Setup

Before encryption, attackers now exfiltrate sensitive data to increase pressure:

• Target HR, finance, legal, and customer data
• Upload via FTP, SFTP, or cloud storage (e.g., Mega, OneDrive)
• Stage files in compressed, obfuscated formats to evade DLP

This enables double extortion: pay, or your data goes public.

💥 Stage 5: Encryption and Ransom Note Delivery

The final act: encryption of systems and data, often launched from multiple systems in parallel to cause maximum impact.

• Mass execution via GPO, PsExec, or RMM tools
• Target backup systems, hypervisors, and file servers first
• Use of secure-delete tools to wipe logs or snapshots

Most groups use custom ransomware variants or rebranded lockers (e.g., LockBit, BlackCat, Clop).

🧠 Common Themes in Real Incidents

• Weeks of dwell time before detonation—attackers explore slowly
• Credential abuse more than malware—ransomware is often the final payload
• Missed detections: initial access or credential dumping not alerted on
• Cloud & SaaS targets: O365, SharePoint, cloud backups, and identity providers

Attackers go where your critical data and weakest monitoring overlap.

📣 Final Thought

To defend against ransomware, you have to understand the playbook. From phishing to privilege escalation to exfiltration and encryption, these campaigns are planned, deliberate, and increasingly professional. Detection and prevention must start early—long before the ransom note appears.

Need help mapping ransomware risks to your environment or assessing gaps in early detection? Let’s talk.