Skip to content

Ransomware: How Modern Attacks Actually Work

Ransomware is no longer just encryption. Here is how modern attacks unfold, why backups are not enough, and where penetration testing breaks the kill chain.

Invadel TeamJanuary 31, 20264 min read

Ransomware has changed. The mental model most executives still carry, files get encrypted, you pay for the key, you move on, describes attacks from a decade ago. Modern ransomware is a full intrusion campaign that happens to end in encryption, and understanding how it really unfolds is the difference between defending the whole attack and defending only the last step.

The modern ransomware kill chain

A typical enterprise ransomware event is not a single moment. It is a campaign that plays out over days or weeks:

  1. Initial access. Attackers get in through a phished credential, an exposed remote service, an unpatched internet-facing vulnerability, or a purchased foothold from an access broker. Rarely is it an exotic zero-day. It is usually something an assessment would have flagged.
  2. Establishing persistence. They install backdoors and create accounts so that closing the original hole does not evict them.
  3. Privilege escalation and lateral movement. This is the quiet, dangerous middle. Attackers harvest credentials, move host to host, and work toward domain administrator or its cloud equivalent. Most dwell time lives here, and most of it goes undetected.
  4. Exfiltration. Before encrypting anything, modern groups steal your data. This enables the second extortion lever and increasingly the primary one.
  5. Deployment. Only at the end do they push the ransomware across the estate, often disabling backups and security tooling first, and time it for a weekend or holiday.

The insight that should reshape your defenses: encryption is the last thing that happens. By the time files lock, the attacker has been inside for a while. Every earlier stage was an opportunity to detect and stop them.

Why backups are necessary but not sufficient

Reliable, tested, offline backups remain essential. They are your answer to the encryption. But they are no answer at all to the exfiltration.

This is double extortion: pay to decrypt your files, and pay to stop us publishing the data we already took. Solid backups solve the first demand and do nothing for the second. Some groups have dropped encryption entirely and simply steal and extort. If your entire ransomware strategy is “we have backups,” you are prepared for one half of a modern attack.

Where testing breaks the chain

Because ransomware follows a predictable path, proactive testing maps directly onto it:

  • External network penetration testing finds the exposed services, weak credentials, and unpatched systems that provide initial access, the first link in the chain.
  • Internal penetration testing simulates the attacker who is already inside and tries to escalate and move laterally. This is the single most valuable exercise for ransomware resilience, because it targets the long, quiet middle where real attacks are won or lost.
  • Phishing and social engineering assessments test the human entry point that begins a large share of intrusions.
  • Segmentation testing proves whether a foothold in one area can actually reach your critical systems, or whether your network limits the blast radius.

Testing does not just produce findings. It answers the question that matters to leadership: if an attacker got in tomorrow, how far could they get before hitting a wall, and would we see them coming?

Building real resilience

A defensible ransomware posture combines several layers:

  • Reduce initial access: patch internet-facing systems promptly, enforce multi-factor authentication everywhere, and eliminate exposed remote services.
  • Detect the middle: monitor for the lateral movement and credential abuse that precede deployment, so you catch the attack during dwell time rather than at encryption.
  • Contain the blast radius: segment networks and enforce least privilege so one compromised host is not a path to everything.
  • Prepare to recover: maintain tested, offline, immutable backups, and rehearse the recovery.
  • Prepare to respond: have an incident response plan that assumes data was stolen, not just encrypted.

The takeaway

Ransomware is an intrusion first and an encryption event last. Defending only against the encryption, the part everyone pictures, leaves the entire earlier campaign unaddressed. The organizations that weather ransomware best are the ones that hunt for attackers during the quiet middle and prove, through regular testing, that their defenses actually hold. If you want to know how a real intrusion would play out in your environment, scope an internal test that simulates exactly that.

Written by

Invadel Team

Senior penetration testers writing from real engagements — the same team that scopes, tests, and reports for our clients. About Invadel →

All articlesRansomware

Find out what an attacker sees.

Tell us what to test and see your fixed price.

Prefer the full scoping questionnaire?
Start the conversation