Beyond the Encryption Screen: The Modern Ransomware Attack Begins Long Before Encryption

We all know the image. A red warning screen. Files locked. A countdown timer ticking. A demand for Bitcoin.

The Security Lens

~6 min read · May 19, 2026 (Updated: May 19, 2026) · Free: Yes

That moment feels like the attack.

It isn't.

In modern ransomware operations, encryption is usually the final act — a kind of closing ceremony after the real damage has already been done. Long before that ransom note appears on your screen, attackers have often spent days, sometimes weeks, quietly moving through a network: stealing credentials, mapping systems, identifying backups, exfiltrating data, and systematically destroying anything that might help you recover.

By the time the files start encrypting, the attackers frequently know your environment better than your own IT team does.

And here's what makes it stranger: increasingly, they don't even bother with encryption at all.

Modern ransomware has drifted far from its origins as a kind of digital smash-and-grab. What it's become is something closer to organized extortion — professionalized, patient, and surprisingly businesslike. To understand how organizations can actually defend against it, you have to look past the encryption screen. Here are five realities shaping how these attacks actually work.

1. The Rise of "Silent Extortion"

For a long time, encryption was ransomware. Lock the files, demand payment, done.

That's changing. Some of the more sophisticated groups are moving toward something quieter — and arguably more effective.

Recent intelligence around operations like LockBit 4.0 (Neo) shows a growing trend: attackers stealing sensitive data without ever triggering an encryption event. They get in, take what they want, maintain persistence, and then apply pressure through the threat of public exposure rather than operational disruption.

From the attacker's perspective, this is a smarter play. Mass encryption is loud. It generates EDR alerts, triggers abnormal file activity, spikes CPU usage, and brings operations to a visible halt. Data exfiltration, by contrast, can often blend into normal outbound traffic. A large file transfer rarely triggers the same urgency as a ransomware detonation. That silence buys time — and time is exactly what attackers need.

There's also a more fundamental problem with the old model that silent extortion sidesteps entirely: backups.

Organizations that invested in solid offline backup infrastructure got pretty good at recovering from traditional ransomware. Restore the systems, wipe the malware, move on. But backups can't un-leak your intellectual property. They can't reverse the exposure of customer data or contain the reputational fallout from stolen credentials hitting the dark web. The leverage has shifted. The threat is no longer "pay us or lose your files" — it's "pay us or watch your data go public." That psychological pressure is often more effective than encryption ever was.

Ransomware isn't really about encryption anymore. It's about access, timing, and leverage.

2. Ransomware Groups Run Like Businesses

There's a persistent mental image of ransomware operators as chaotic, hoodie-wearing hackers working out of basements. The reality is far more mundane — and more concerning.

Many ransomware groups today function like decentralized criminal enterprises. They rebrand, restructure, recruit affiliates, outsource tooling, and manage their public reputation with the kind of operational discipline you'd expect from a mid-sized company under pressure. Threat intelligence researchers now track their organizational maturity using taxonomies — groups categorized as Emerging, Developing, or Established — the same way you'd evaluate a legitimate business.

Two concepts matter more than they might seem: splintering and rebranding.

When a group splinters, former members break away to form new operations. Former Conti affiliates, for instance, are believed to have contributed to the emergence of groups like Royal and Black Basta. The people change but the tradecraft doesn't.

When a group rebrands, the organization largely stays intact but adopts a new identity — usually to reduce visibility, evade sanctions, or reset a reputation after a high-profile incident. BlackSuit is a strong example: code-level analysis points to significant similarities between the BlackSuit and Royal encryptors, suggesting the group effectively continued under a different name.

The names change. The infrastructure often doesn't.

Figure: Modern ransomware operations now resemble structured business ecosystems — combining professionalized RaaS infrastructure, operational maturity models, and multi-stage attack execution.

3. Attackers Don't Just Delete Backups Anymore

Any seasoned defender knows the classic move:

vssadmin delete shadows /all /quiet

It's been around forever. It's also noisy, obvious, and commonly monitored. Attackers know this — which is why many have shifted to quieter methods.

One increasingly common technique involves vssadmin resize. Rather than deleting Volume Shadow Copies directly, attackers shrink the "diff area" — the storage space allocated for snapshots — to its minimum possible size. This doesn't immediately destroy the snapshots, but once the storage limit is exceeded, Windows automatically removes existing shadow copies to free space. Recovery points disappear without the kind of alert you'd expect from an outright deletion. The activity can look enough like routine administration to avoid immediate scrutiny.

That's the dangerous part. It resembles legitimate behavior.

This is why modern ransomware defense isn't really about detecting malware signatures anymore. It's about detecting intent — subtle behavioral signals that something is being prepared. Experienced analysts now monitor for unexpected loading of vss_ps.dll, suspicious IOCTL activity, and unusual Event Tracing for Windows patterns. The battlefield has shifted from signatures to behavior.

4. The 48-Hour Window Is Real, and It's Terrifying

One of the most sobering realities of modern incident response is how fast things move. Many ransomware operations now go from initial compromise to full domain-wide impact in as little as 24 to 48 hours.

That acceleration is largely a product of Crimeware-as-a-Service. Affiliates no longer need to build malware, write exploits, or engineer their own tooling. Entire operational kits are available for rent. The barrier to entry has collapsed.

To stay undetected during that rapid movement, attackers increasingly lean on native Windows tools instead of custom malware — a technique known as "Living off the Land." Tools like whoami.exe, nltest.exe, PsExec, and Cobalt Strike are all standard administrative utilities. They blend in precisely because defenders use them too.

Which creates one of the hardest problems in modern security: how do you distinguish a threat actor from your own IT team?

What experienced defenders are actually hunting for is behavioral anomalies — abnormal PsExec usage, suspicious named pipes, Mimikatz execution patterns, unusual authentication activity, SOCKS proxy traffic, default Cobalt Strike artifacts. By the time encryption starts, the operationally meaningful part of the attack has already succeeded.

5. Sophisticated Attackers Still Leave Traces

Despite everything, even well-resourced ransomware operators leave evidence behind. Some of the most valuable forensic clues live in Windows Event Logs — particularly Defender-related events.

SANS Institute research highlights two Event IDs that deserve attention during any incident response triage:

Event ID 1116 — Malware detected
Event ID 1117 — Action taken (or failed)

The key insight isn't simply whether malware was detected. It's whether the remediation succeeded. A failed 1117 event can mean ransomware is still resident, quarantine was incomplete, or additional hosts are infected. During active incident response, these logs can be the difference between containment and a second detonation.

They're also critical for tracking down Patient Zero — the first compromised system, which typically holds the clearest evidence of attacker entry, credential theft, persistence mechanisms, and where lateral movement originated. Sometimes the initial payload fails, and the attacker simply waits and tries again. Finding that first foothold is how you understand the full scope of what happened.

The Bigger Shift

The modern ransomware ecosystem isn't defined by malware anymore. It's defined by operational discipline, speed, stealth, psychological leverage, and the kind of business resilience that lets these groups absorb law enforcement pressure and keep operating under new names.

That demands a fundamentally different approach to defense. The old model — antivirus, perimeter protection, prevention-first thinking — isn't sufficient. What the threat landscape actually requires is visibility into behavioral patterns, rapid containment capability, strong identity security, and recovery infrastructure that's been genuinely tested under pressure.

Most importantly, organizations need to stop treating internet-facing systems as convenient infrastructure that happens to need some security bolted on. They're high-stakes attack surfaces, and they should be treated accordingly.

The most dangerous phase of a ransomware attack is the one nobody notices. Not the encryption. Not the ransom note. Not the leak site.

It's the quiet 48-hour window before any of that.

If an attacker were inside your network right now, would you catch them during that window? Or would the first sign be an invoice appearing on a dark web marketplace?

That question is worth sitting with.

— The Security Lens

#cybersecurity #ransomware #incident-response #information-security #cyber-security-awareness

< Go to the original