Introduction
Ransomware remains one of the most persistent and disruptive threats to organizations worldwide. Since 2018, financially motivated cybercriminals have shifted from simple data encryption to a complex, multistage extortion model. The rise of Ransomware-as-a-Service (RaaS) has lowered the barrier to entry, creating a thriving underground ecosystem. Despite law enforcement disruptions and declining profitability—due to improved defenses, better recovery capabilities, and falling ransom payments—ransomware continues to evolve. In 2025, record numbers of victims were posted on data leak sites, with groups like Qilin and Akira filling vacuums left by disrupted operations such as LockBit and ALPHV. This guide breaks down the typical attack flow based on observed tactics, techniques, and procedures (TTPs) from 2025 Mandiant incident response engagements.
What You Need
To understand or defend against a modern ransomware attack, you need knowledge of these key components (note: this is for educational and defense purposes only):
- Initial Access Vectors: Exploits for common VPNs, firewalls, or remote desktop services. In 2025, one-third of incidents used vulnerability exploitation for initial access.
- Persistence Tools: Remote monitoring and management (RMM) software, or custom backdoors like BEACON and MIMIKATZ (though usage of these is declining).
- Data Exfiltration Mechanisms: Tools and procedures for stealing sensitive data before encryption (77% of intrusions in 2025 involved data theft, up from 57% in 2024).
- Virtualization Infrastructure Access: Over 43% of attacks targeted VMware or Hyper-V environments to encrypt backup servers and VMs.
- Ransomware Payloads: Common families include REDBIKE (30% of analyzed incidents), Qilin, Akira, and others from the RaaS ecosystem.
Step-by-Step Guide: How a Modern Ransomware Attack Works
Step 1: Gain Initial Access via Vulnerability Exploitation
Attackers scan for unpatched vulnerabilities in internet-facing systems. In 2025, one-third of incidents exploited flaws in VPN appliances, firewalls, or web servers. This step often involves automated scanning and the use of public exploits. Tip: Prioritize patch management for perimeter devices to close this vector.
Step 2: Establish a Foothold and Deploy Intrusion Tools
Once inside, attackers deploy lightweight backdoors or use legitimate remote management tools (RMMs) to maintain access. Traditional tools like BEACON (Cobalt Strike) and MIMIKATZ are being used less, but still appear. The goal is to avoid detection while mapping the network. Key observation: RMM usage has plateaued but remains a common method for persistence.
Step 3: Escalate Privileges and Move Laterally
Using credential harvesting (often via Mimikatz or similar tools) and exploitation of misconfigurations, attackers move from the initial foothold to domain administrator accounts. This step enables access to critical servers and storage volumes.
Step 4: Identify and Exfiltrate Sensitive Data
Data theft is now a near-universal step—77% of intrusions in 2025 involved suspected data exfiltration before encryption. Attackers locate valuable files (financial data, intellectual property, customer records) and transfer them to attacker-controlled servers. This enables double extortion: paying to decrypt and to prevent data leaks.
Step 5: Target Virtualization Infrastructure
In nearly half of 2025 incidents (43%, up from 29% in 2024), attackers specifically targeted virtual machine hosts (e.g., VMware ESXi, Microsoft Hyper-V). Encrypting VMs cripples entire environments, including backups. Attackers also disable or delete backup snapshots to hinder recovery.
Step 6: Deploy Ransomware Payload
After staging the network and backups, the final payload is deployed—most commonly REDBIKE (30% of cases). The ransomware encrypts files, appends extensions, and leaves ransom notes. Victims are directed to data leak sites (DLS) where stolen data is published if payment is not made.
Step 7: Leverage RaaS Ecosystem for Extortion
Many groups operate as RaaS, where affiliates perform the technical intrusion and payload deployment, while the core group handles negotiation and leaks. This specialization lowers barriers for new actors, maintaining a constant flow of new variants.
Tips for Defenders
Based on the trends observed, here are actionable recommendations to reduce risk:
- Patch Aggressively: Focus on VPNs, firewalls, and web servers—these are the top entry points.
- Harden Virtualization Hosts: Restrict admin access to ESXi/Hyper-V, enable multi-factor authentication (MFA), and regularly back up configurations.
- Implement Data Theft Detection: Monitor unusual outbound data flows. Use DLP solutions and network traffic analysis to spot exfiltration.
- Reduce Reliance on Common Tools: Consider blocking or tightly controlling remote monitoring tools and scripting languages often abused by attackers.
- Test Recovery Plans: Ensure offline backups are immutable and regularly test restore procedures. The increased use of ransomware targeting VMs means backups must be isolated.
- Stay Informed on RaaS Groups: The landscape shifts rapidly—after disruptions to LockBit and ALPHV, new groups like Qilin and Akira emerged. Continuous threat intelligence is key.
- Adopt Zero Trust Principles: Segment networks, limit lateral movement, and use least privilege access for all users and systems.
Ransomware may be under pressure from improved defenses and law enforcement, but it remains a high-volume, high-impact threat. Understanding these steps helps organizations prepare and respond effectively.