It Doesn't Start With Encrypted Files
When we think of ransomware, we picture the end result: inaccessible files, a threatening screen demanding payment in Bitcoin, and panic across the office floor. But a ransomware attack is not a single moment — it is a carefully orchestrated process that often takes weeks or even months before the actual encryption occurs.
Understanding how this process works is the first step towards effective prevention. Because at every phase, there are signals you can detect and measures you can take.
Phase 1: Initial Access — That One Click
It almost always starts with a person. In 82% of ransomware attacks, initial access results from a human action: clicking a link in a phishing email, opening an infected attachment, or entering credentials on a spoofed website.
Modern phishing campaigns are nearly indistinguishable from legitimate communications. Attackers spend weeks researching your organisation, your suppliers, and even individual employees. They know when your CFO is on holiday and send the finance department an 'urgent' request that appears to come from their email address.
The signal: Unusual login attempts, abnormal email activity, employee reports of suspicious messages.
Phase 2: Establishing Persistence
After initial access, the attacker installs backdoors and ensures access is maintained even if the original account is blocked. This happens through malware that embeds itself in the system, scheduled tasks that run automatically, or manipulated registry entries.
At this phase, the attack can still be stopped relatively easily — if you have the right monitoring in place. But most organisations notice nothing.
The signal: Unexplained scheduled tasks, new services, unusual network traffic to unknown IP addresses.
Phase 3: Privilege Escalation — From User to Admin
A compromised employee account has limited permissions. The attacker needs more. Through known vulnerabilities, password hashes intercepted on the network, or Active Directory misconfigurations, the attacker escalates to domain administrator.
This is the tipping point. With admin rights, the attacker essentially has unlimited access to your entire infrastructure.
The signal: Unusual account activity, use of tools like Mimikatz or PsExec, changes to group policy.
Phase 4: Lateral Movement — Through the Network
With elevated privileges, the attacker moves laterally through the network. From server to server, from segment to segment. The goal: mapping all critical systems and gaining access to as much data as possible.
During this phase, backup systems are also identified and prepared for sabotage. A smart attacker only encrypts after backups have been rendered unusable.
The signal: Unusual RDP sessions, access to systems the account doesn't normally touch, large volumes of internal data transfers.
Phase 5: Data Exfiltration — The Real Gold
Modern ransomware groups don't just encrypt — they steal first. This gives them double extortion capabilities: pay the ransom for the decryption key, and pay to prevent your stolen data from being publicly leaked.
Stolen data is uploaded to external servers, often disguised as legitimate cloud traffic to evade detection.
The signal: Large outbound data flows, especially outside business hours, use of tools like Rclone or Mega-upload.
Phase 6: The Encryption — The Visible Part
Only now — sometimes weeks or months after initial access — is the actual encryption triggered. And it happens lightning fast. Within minutes, thousands of files are inaccessible. The ransomware encrypts not just local drives but also network shares, cloud storage, and everything within reach.
Online backups? Encrypted. Shadow copies? Deleted. Recovery partitions? Wiped.
At this point, it's too late for prevention. You are now in incident response mode.
Phase 7: Extortion and Negotiation
The ransom demand appears. Modern ransomware groups operate like professional businesses: they have help desks, negotiators, and even 'customer service' to guide you through the payment process. Average ransom demands for SMEs are around €250,000; for larger organisations, this can run into millions.
And paying guarantees nothing. Research shows that 80% of organisations that pay are attacked again.
What Can You Do?
The power of this knowledge is that every phase represents an intervention opportunity:
- Phase 1: Security awareness and behavioural analysis to strengthen the human factor
- Phase 2-3: Endpoint Detection and Response (EDR) and network monitoring
- Phase 4: Network segmentation and Zero Trust architecture
- Phase 5: Data Loss Prevention and outbound traffic monitoring
- Phase 6: Offline backups and tested recovery procedures
The most underestimated factor? Human behaviour in Phase 1. This is where 82% of all attacks begin, and where you can make the biggest difference.
Nexus-7: Behavioural Analysis as Your First Line of Defence
Nexus-7 uses the scientific Q-Method to map your employees' security behaviour. Not with a simple phishing test, but with an in-depth analysis of how people think about security, where their blind spots are, and how their behaviour changes under pressure.
Combined with technical assessment, this gives you a complete picture of your vulnerability — from the human click to the technical configuration.
Want to know how vulnerable your organisation is to ransomware? Schedule a demo and discover how Nexus-7 maps your entire attack surface — including the human factor.
