{"id":1189,"date":"2025-05-13T01:30:52","date_gmt":"2025-05-13T06:30:52","guid":{"rendered":"https:\/\/stagefoursecurity.com\/blog\/?p=1189"},"modified":"2025-05-13T01:30:52","modified_gmt":"2025-05-13T06:30:52","slug":"ransomware-tradecraft-explained","status":"publish","type":"post","link":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/","title":{"rendered":"Ransomware Tradecraft Explained"},"content":{"rendered":"<article>\n<header>\n<h1>\ud83d\udca3 Ransomware Tradecraft Explained: How Modern Attacks Work<\/h1>\n<p><em>By James K. Bishop, vCISO | Founder, <a href=\"https:\/\/stagefoursecurity.com\" target=\"_blank\" rel=\"noopener\">Stage Four Security<\/a><\/em><\/p>\n<\/header>\n<section>\n<h2>\ud83d\udd0d The Modern Ransomware Threat Model<\/h2>\n<p><a href=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1.png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"alignright wp-image-1210\" src=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1-300x200.png\" alt=\"\" width=\"400\" height=\"267\" srcset=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1-300x200.png 300w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1-1024x683.png 1024w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1-768x512.png 768w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1.png 1536w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/a>Ransomware isn\u2019t just a smash-and-grab anymore\u2014it\u2019s a full-scale intrusion with reconnaissance, privilege escalation, data theft, and extortion. Today&#8217;s ransomware actors are organized, patient, and skilled at exploiting weak identity systems and unmonitored infrastructure.<\/p>\n<p>This post breaks down the end-to-end tactics used in modern ransomware campaigns\u2014so you can defend against them at every stage.<\/p>\n<\/section>\n<section>\n<h2>\ud83e\udded Stage 1: Initial Access<\/h2>\n<p>Attackers commonly get in through:<\/p>\n<ul>\n<li><strong>Phishing:<\/strong> Malicious attachments, fake MFA prompts, or credential harvesting sites<\/li>\n<li><strong>Remote Desktop Protocol (RDP):<\/strong> Exposed to the internet or accessed via stolen credentials<\/li>\n<li><strong>Exploited vulnerabilities:<\/strong> VPN appliances, web apps, unpatched services (e.g., ProxyShell, Log4Shell)<\/li>\n<li><strong>Supply chain:<\/strong> Compromised third-party software or vendors (e.g., Kaseya, SolarWinds)<\/li>\n<\/ul>\n<p>Ransomware groups often purchase access from initial access brokers (IABs) who specialize in footholds.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udee0\ufe0f Stage 2: Reconnaissance and Credential Theft<\/h2>\n<p>Once inside, attackers map your environment and steal credentials:<\/p>\n<ul>\n<li>Scan for domain controllers, file shares, and backup infrastructure<\/li>\n<li>Use <code>netstat<\/code>, <code>nltest<\/code>, <code>powershell<\/code>, <code>whoami<\/code> to fingerprint the network<\/li>\n<li>Dump credentials from memory (e.g., LSASS) or steal cached tokens (e.g., from browsers or cloud agents)<\/li>\n<\/ul>\n<p>Tools: Mimikatz, LaZagne, AdFind, BloodHound, SharpHound<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udd13 Stage 3: Lateral Movement and Privilege Escalation<\/h2>\n<p>Next, attackers move laterally and escalate privileges to domain admin or cloud admin:<\/p>\n<ul>\n<li>RDP hopping or pass-the-hash with stolen credentials<\/li>\n<li>Exploiting unpatched local privilege escalation (LPE) flaws<\/li>\n<li>Compromising identity infrastructure (Active Directory, Okta, Entra ID)<\/li>\n<\/ul>\n<p>Persistence is often set via GPO changes, scheduled tasks, or startup scripts.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udce4 Stage 4: Exfiltration and Extortion Setup<\/h2>\n<p>Before encryption, attackers now exfiltrate sensitive data to increase pressure:<\/p>\n<ul>\n<li>Target HR, finance, legal, and customer data<\/li>\n<li>Upload via FTP, SFTP, or cloud storage (e.g., Mega, OneDrive)<\/li>\n<li>Stage files in compressed, obfuscated formats to evade DLP<\/li>\n<\/ul>\n<p>This enables <strong>double extortion:<\/strong> pay, or your data goes public.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udca5 Stage 5: Encryption and Ransom Note Delivery<\/h2>\n<p>The final act: encryption of systems and data, often launched from multiple systems in parallel to cause maximum impact.<\/p>\n<ul>\n<li>Mass execution via GPO, PsExec, or RMM tools<\/li>\n<li>Target backup systems, hypervisors, and file servers first<\/li>\n<li>Use of secure-delete tools to wipe logs or snapshots<\/li>\n<\/ul>\n<p>Most groups use custom ransomware variants or rebranded lockers (e.g., LockBit, BlackCat, Clop).<\/p>\n<\/section>\n<section>\n<h2>\ud83e\udde0 Common Themes in Real Incidents<\/h2>\n<ul>\n<li><strong>Weeks of dwell time<\/strong> before detonation\u2014attackers explore slowly<\/li>\n<li><strong>Credential abuse<\/strong> more than malware\u2014ransomware is often the final payload<\/li>\n<li><strong>Missed detections:<\/strong> initial access or credential dumping not alerted on<\/li>\n<li><strong>Cloud &amp; SaaS targets:<\/strong> O365, SharePoint, cloud backups, and identity providers<\/li>\n<\/ul>\n<p>Attackers go where your critical data and weakest monitoring overlap.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udce3 Final Thought<\/h2>\n<p>To defend against ransomware, you have to understand the playbook. From phishing to privilege escalation to exfiltration and encryption, these campaigns are planned, deliberate, and increasingly professional. Detection and prevention must start early\u2014long before the ransom note appears.<\/p>\n<p><strong>Need help mapping ransomware risks to your environment or assessing gaps in early detection?<\/strong> <a href=\"https:\/\/stagefoursecurity.com\/blog\/partner-with-stage-four-security\/\" target=\"_blank\" rel=\"noopener\">Let\u2019s talk<\/a>.<\/p>\n<\/section>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udca3 Ransomware Tradecraft Explained: How Modern Attacks Work By James K. Bishop, vCISO | Founder, Stage Four Security \ud83d\udd0d The [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[20],"tags":[],"class_list":["post-1189","post","type-post","status-publish","format-standard","hentry","category-ransomware-defense"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Ransomware Tradecraft Explained - Stage Four Security Blog<\/title>\n<meta name=\"description\" content=\"Understand how modern ransomware operates\u2014from phishing and credential theft to encryption, exfiltration, and double extortion tactics.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransomware Tradecraft Explained - Stage Four Security Blog\" \/>\n<meta property=\"og:description\" content=\"Understand how modern ransomware operates\u2014from phishing and credential theft to encryption, exfiltration, and double extortion tactics.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/\" \/>\n<meta property=\"og:site_name\" content=\"Stage Four Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-13T06:30:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"stagefoursec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"stagefoursec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/\"},\"author\":{\"name\":\"stagefoursec\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde\"},\"headline\":\"Ransomware Tradecraft Explained\",\"datePublished\":\"2025-05-13T06:30:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/\"},\"wordCount\":485,\"publisher\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1-300x200.png\",\"articleSection\":[\"Ransomware Defense\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/\",\"name\":\"Ransomware Tradecraft Explained - Stage Four Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1-300x200.png\",\"datePublished\":\"2025-05-13T06:30:52+00:00\",\"description\":\"Understand how modern ransomware operates\u2014from phishing and credential theft to encryption, exfiltration, and double extortion tactics.\",\"breadcrumb\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#primaryimage\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1.png\",\"contentUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/stagefoursecurity.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Ransomware Tradecraft Explained\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#website\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/\",\"name\":\"Stage Four Security Blog\",\"description\":\"Protecting today, fortifying tomorrow\",\"publisher\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/stagefoursecurity.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\",\"name\":\"Stage Four Security Blog\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png\",\"contentUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png\",\"width\":1000,\"height\":150,\"caption\":\"Stage Four Security Blog\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde\",\"name\":\"stagefoursec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g\",\"caption\":\"stagefoursec\"},\"sameAs\":[\"https:\/\/stagefoursecurity.com\/blog\"],\"url\":\"https:\/\/stagefoursecurity.com\/blog\/author\/admin_w171pcka\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransomware Tradecraft Explained - Stage Four Security Blog","description":"Understand how modern ransomware operates\u2014from phishing and credential theft to encryption, exfiltration, and double extortion tactics.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/","og_locale":"en_US","og_type":"article","og_title":"Ransomware Tradecraft Explained - Stage Four Security Blog","og_description":"Understand how modern ransomware operates\u2014from phishing and credential theft to encryption, exfiltration, and double extortion tactics.","og_url":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/","og_site_name":"Stage Four Security Blog","article_published_time":"2025-05-13T06:30:52+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1.png","type":"image\/png"}],"author":"stagefoursec","twitter_card":"summary_large_image","twitter_image":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1.png","twitter_misc":{"Written by":"stagefoursec","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#article","isPartOf":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/"},"author":{"name":"stagefoursec","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde"},"headline":"Ransomware Tradecraft Explained","datePublished":"2025-05-13T06:30:52+00:00","mainEntityOfPage":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/"},"wordCount":485,"publisher":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#organization"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#primaryimage"},"thumbnailUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1-300x200.png","articleSection":["Ransomware Defense"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/","url":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/","name":"Ransomware Tradecraft Explained - Stage Four Security Blog","isPartOf":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#primaryimage"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#primaryimage"},"thumbnailUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1-300x200.png","datePublished":"2025-05-13T06:30:52+00:00","description":"Understand how modern ransomware operates\u2014from phishing and credential theft to encryption, exfiltration, and double extortion tactics.","breadcrumb":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#primaryimage","url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1.png","contentUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Ransomware-Post-1.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/13\/ransomware-tradecraft-explained\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/stagefoursecurity.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Ransomware Tradecraft Explained"}]},{"@type":"WebSite","@id":"https:\/\/stagefoursecurity.com\/blog\/#website","url":"https:\/\/stagefoursecurity.com\/blog\/","name":"Stage Four Security Blog","description":"Protecting today, fortifying tomorrow","publisher":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/stagefoursecurity.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/stagefoursecurity.com\/blog\/#organization","name":"Stage Four Security Blog","url":"https:\/\/stagefoursecurity.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png","contentUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png","width":1000,"height":150,"caption":"Stage Four Security Blog"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde","name":"stagefoursec","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g","caption":"stagefoursec"},"sameAs":["https:\/\/stagefoursecurity.com\/blog"],"url":"https:\/\/stagefoursecurity.com\/blog\/author\/admin_w171pcka\/"}]}},"_links":{"self":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/comments?post=1189"}],"version-history":[{"count":3,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1189\/revisions"}],"predecessor-version":[{"id":1217,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1189\/revisions\/1217"}],"wp:attachment":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/media?parent=1189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/categories?post=1189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/tags?post=1189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}