Every Ransomware Attack Has a Backstory

Key Takeaways

  • Ransomware is the final act, not the first move.

  • Access brokers and identity abuse help set the attack in motion.

  • Trusted tools are now part of the attacker playbook.

  • Encryption feels sudden, but the intrusion usually isn't.

  • The best chance to stop ransomware is catching it before it looks like ransomware.

Ransomware is the part of the attack that gets the most attention.

It's the locked screens, the ransom note, the disrupted workflows, the scramble to figure out what happened, and the public headlines that follow.

But by the time attackers make their big move, the real story usually started much earlier.

When we only focus on the ending, we lose sight of everything that set it up: the modern cybercrime assembly line built for speed, repetition, and scale.

We don't have to look far for a real example. Earlier this month, our team traced six unrelated ransomware intrusions back to the same starting point: an exposed Citrix NetScaler gateway and a single, reusable trick for stealing an active session. Same privilege-escalation move, same throwaway account name, same off-the-shelf remote access tool, case after case. A textbook example of one operator running the same playbook on repeat, with DragonForce ransomware waiting at the end of the line for the one victim who didn't catch it in time. It's a small-scale preview of the ransomware playbook: access first, patience second, ransomware last.

Access is just the beginning

A lot of attacks begin with someone else doing the dirty work first.

Initial access brokers, or IABs, are the people who get into environments and then sell that access to other attackers. They don't hang around to deploy ransomware themselves. Instead, they act like suppliers. They find a way in, package the access, and sell it to the next cybercriminal in the chain.

How do they get in? Often through infostealer malware, phishing, social engineering, or unpatched systems. Sometimes it's a stolen browser session, a reused password, or an internet-facing system with an overlooked update. Attackers exploit the everyday workflows your team already trusts. Nothing flashy, and that's kind of the point.

Not all access is equal, either. User logins sit on the lower end of the value scale. VPN or RDP access is worth more. Admin or cloud access is the premium version because it gives attackers a much faster path to control and sensitive data.

Identity abuse keeps showing up for a reason. Per the Huntress 2026 Cyber Threat Report, 37.2% of all identity-based attacks in 2025 involved suspicious login activity. That's a reminder that the earliest signs of trouble don't look dramatic.

If that early access slips by, the rest of the assembly line keeps moving.

When the attack blends right in

Once attackers have access, they often blend in, stick around, and move through your environment unnoticed.

This is Living off the Land (LoTL). Instead of dropping custom tools that might get flagged, attackers use the trusted tools and native processes you're already using. Think PowerShell, remote monitoring and management (RMM) tools, and built-in Windows admin utilities.

From the outside, it looks like normal administration. A script runs. A remote session starts. Commands get executed. But LoTL buys attackers time by abusing the software your team already trusts.

A 277% year-over-year spike in RMM abuse in 2025 shows how quickly this tactic is gaining ground and helps explain why abusing legitimate tools has become one of the easiest ways to stay hidden in plain sight.

Suspicious access turns into suspicious use of trusted tools. The attack develops in stages, and each stage makes the next one easier and more stealthy.

When the interruption hits

Then comes ransomware.

By the time the ransomware hits, attackers have often already spent hours inside your environment staging access, moving laterally, and stealing data. In 2025, attackers spent an average of 20 hours in a target environment before launching ransomware. So while the encryption feels sudden, in reality, it's just the visible end of a chain of events that's been unfolding behind the scenes.

The ransomware landscape itself also shows how concentrated the pressure has become. Four groups—Akira, Medusa, Qilin, and RansomHub—drove 51.3% of all ransomware incidents in 2025. Different names, same outcome for the victim: disruption, downtime, hard decisions, and an unwanted interruption that throws the business off course and puts real pressure on the people trying to keep it running.

Break the chain early

Understanding how an attacker moves through an environment changes your perspective.

Maybe it's the suspicious login. Maybe it's a remote access tool showing up where it shouldn't. Maybe it's admin activity at the wrong time, from the wrong account, in the wrong place. The details vary, but the larger lesson is the same: the earlier you recognize the pattern, the better your odds of interrupting it before it turns into extortion.

Attackers are counting on defenders to treat each phase like a separate event. That's the gap they rely on. Knowing the playbook is how you stop it before the end of the assembly line.

We break down the attacker's playbook every month at Tradecraft Tuesday. Grab your spot to join us at the next one.