Inside Ransomware: Lessons from the Defense Industry

I worked for over seven years in the ransomware defense industry. I've sat across the table from companies who lost decades of operational data. I've watched FBI agents take notes while CEOs cried. I've also watched companies who'd done the boring work survive incidents that would have ended a less prepared business.

Most public writing about ransomware oversimplifies it as "they clicked a bad link, then everything got encrypted." That's not quite right. Modern ransomware is a multi-stage, multi-week operation. Understanding the stages is the first step to defending against it.

Anatomy of a modern ransomware attack

Four stages, in roughly this order: initial access → lateral movement → exfiltration → detonation. Each can take days or weeks. The encryption everyone fears is the final 30 minutes of a 4-week operation. By the time you see the ransom note, the attacker has been in your network so long they could find your CEO's mistress in the email archives.

Stage 1: Initial access

Three vectors dominate:

1. Phishing with credential theft (still #1)
2. Unpatched perimeter appliances — VPN concentrators, firewalls, Exchange servers
3. Compromised credentials from previous breaches, sold on dark-web marketplaces

The attackers don't need to find your credentials specifically. They run scripts that try every leaked credential against every common service. If you reused a password from a 2019 breach, you're already on a list.

Stage 2: Lateral movement

Once inside one machine, the attacker pivots. Standard moves:

• Mimikatz / LSASS dump to grab cached credentials
• Pass-the-Hash / Pass-the-Ticket to authenticate as other users
• Group Policy abuse to push tooling to every machine
• Domain Admin escalation — the trophy

This is where flat networks die. If every server can talk to every other server on every port, lateral movement is trivial. Network segmentation alone slows attackers by days.

Stage 3: Data exfiltration

Modern ransomware groups practice double extortion: they encrypt your files and steal a copy first. Even if you have perfect backups, they leak your data unless you pay.

This stage is often visible in your network traffic. A typical attack might exfiltrate 200GB–2TB to a cloud storage service over 1–3 days. If you have egress monitoring on your firewall and a baseline of normal traffic, this anomaly is detectable. Most companies don't, so it isn't.

Stage 4: Detonation

The encryption itself takes minutes to hours per host, run in parallel across the network. Modern ransomware encrypts only file headers (not full contents) to spread fast. By morning, every machine you own is locked, and the same ransom note is on every screen.

Detonation is timed for maximum business pain — Friday at 6pm, the night before a holiday, the eve of a quarterly close. They've researched you. They know your fiscal calendar.

Why backups fail

Companies who think they're protected because they have backups discover, mid-incident, that:

• The backups were on the same network and got encrypted too
• The backup credentials were valid Domain Admin and the attacker used them
• The backups haven't been tested in years and are corrupted
• The backup retention is 14 days and the attacker was inside for 30
• The backup contains the same malware so restoration re-infects

Immutable backups (write-once, read-many) on a separate authentication realm are the only kind of backup that survives a modern attack. This is now a baseline expectation, not a luxury.

Should you pay?

Three perspectives:

• FBI position: never pay. It funds future attacks.
• Operational reality: sometimes you have no choice — your data is gone, your business is dying.
• Legal reality: the OFAC sanctions list now includes many ransomware groups. Paying may be illegal.

The right answer is "you should never have to make this decision" — which means doing the prevention work in advance. By the time the question comes up, you've already lost.

Prevention playbook

The prevention list overlaps heavily with the cybersecurity fundamentals:

• MFA on every internet-facing service, especially VPN and remote desktop
• Patch perimeter appliances within 48 hours of CVE disclosure
• EDR on every endpoint — and actually monitor the alerts
• Immutable, off-domain backups, tested quarterly
• Network segmentation by function
• Disable RDP from the internet, full stop
• Disable SMBv1, restrict SMBv2/3 to only where needed
• LAPS or similar for local admin password randomization
• Tier-0 administration — domain admins never log into workstations
• Email gateway with attachment sandboxing

Response playbook

You will know within the first 10 minutes whether your team has done this drill. If they haven't, the first hour will look like every other unprepared response — panicked phone calls, conflicting decisions, lost time. Have this written down before you need it:

1. Don't power off encrypted machines. Forensics needs memory.
2. Isolate at the network level (pull the upstream switch, not the workstation cable).
3. Call your cyber insurance carrier. They have an approved IR firm ready and will pay for it.
4. Call legal counsel. Notification timelines start now.
5. Preserve logs from anywhere they exist — domain controllers, firewalls, EDR consoles, cloud audit logs.
6. Do not communicate with attackers until your IR firm tells you to.
7. Engage law enforcement via IC3.gov or your local FBI field office.

The companies who survived ransomware events with their business intact almost always had a written plan, drilled twice a year, with everyone's role clear. The companies who didn't survive were improvising while their phones rang nonstop.

djEnterprises offers tabletop drills, network architecture review, and incident-response plan authoring as part of consulting — directly informed by years inside the industry. Book a call if you want a security-focused engagement.