Ransomware Lifecycle

Modern ransomware attacks take weeks, not hours. Operators spend days moving through a network, stealing data, and staging payloads before triggering encryption. Understanding each phase is how defenders find and stop the attack before detonation.

T1486 Data Encrypted for Impact T1490 Inhibit System Recovery T1041 Exfiltration over C2 7-phase interactive timeline

Attack timeline -- hypothetical ransomware scenario (based on IRON CHIMNEY TTPs)

Click any phase to expand details

Initial Access

T-14 days

Persistence

T-13 days

Defense Evasion

T-10 days

Credential Access

T-7 days

Lateral Movement

T-3 days

Exfiltration

T-1 day

Impact

T+0

Phase 1 of 7

Double extortion: why data theft happens before encryption

Modern ransomware is not just about encryption anymore

Ransomware groups discovered that backups break the leverage of encryption alone. If a victim has tested, isolated backups they can restore from, there is no incentive to pay. So the model evolved.

Double extortion means the attacker steals data before triggering encryption. If the victim restores from backups and refuses to pay, the attacker threatens to publish the data. Financial records, customer PII, intellectual property, and internal communications are all high-leverage targets. The threat of regulatory fines (GDPR, HIPAA) and reputational damage often makes victims pay even when their backups are fine.

This is why Exfiltration (Phase 6) now precedes encryption. Defenders who catch the exfiltration phase first have already won -- the double-extortion leverage depends on the attacker having the data.

Common myth

"We have backups, so we are not vulnerable to ransomware." Backups protect against data loss from encryption. They do not protect against data exposure if the attacker has already exfiltrated the data. In a double-extortion attack, paying or not paying is a separate decision from whether you can restore operations.

The defender's window: when can this be stopped?

Every phase offers detection and interruption opportunities -- the earlier, the better

Phase	Best detection opportunity	Tool
Initial Access	DMARC failure on phishing email, link to unknown domain, Tor exit node sign-in	MailGuard Identity
Persistence	Reg key Run value added (Event 13 Sysmon), new scheduled task (Event 4698), unknown service installed	EDR SIEM
Defense Evasion	AV/EDR service tampering (Event 7036), Defender exclusions added, event log cleared (Event 1102)	EDR
Credential Access	LSASS read by non-system process (Sysmon Event 10), RC4 Kerberos tickets (Event 4769)	EDR SIEM
Lateral Movement	Admin share access from workstations, new service execution on remote hosts (Event 7045)	SIEM
Exfiltration	Large HTTPS uploads to cloud storage / Telegram, unusual DNS queries, CASB policy alert	CASB NGFW
Impact	Rapid file rename/extension change (ransomware extension), VSS deletion (vssadmin delete shadows)	EDR

The key principle

If you detect initial access and respond before lateral movement, you limit the blast radius to one host. If you detect lateral movement before exfiltration, you prevent double extortion leverage. By the time you detect encryption, you are already in incident response. Every phase caught earlier dramatically reduces recovery cost and data exposure.

See it in foyl Learn

Where to look	What you will find
IRON CHIMNEY scenario	Full incident timeline using all 7 phases -- maps each event to ATT&CK and the detecting tool
CASB	Exfiltration detected: Dropbox and Telegram uploads from RESEARCH-STATION-01
SOAR / PB-001	AiTM Phishing Response playbook -- automated containment across all phases
IR Lab	Guided exercise: triage, contain, and document a multi-phase attack using the full tool suite

Related concepts