According to Huntress's 2026 Cyber Threat Report, the average time-to-ransom (TTR) across ransomware operations rose to 20 hours in 2025 as attackers adopted "low and slow" tactics to evade detection — up from 17 hours in 2024. The fastest groups, including Akira and RansomHub, still deploy in around six hours. In a controlled simulation, Palo Alto Networks' Unit 42 demonstrated an AI-powered attack chain moving from initial compromise to full data exfiltration in just 25 minutes. The ransomware kill chain has compressed to the point where most organizations don't have time to respond after detection — they need to have already prevented it. Here's how the modern attack unfolds, stage by stage.
The cyber kill chain model, originally developed by Lockheed Martin for analyzing advanced persistent threats, maps perfectly to modern ransomware operations. Each stage represents both an attacker's action and a defender's opportunity. The problem is that attackers have gotten ruthlessly efficient at compressing these stages, while most defenders still operate at the speed of manual triage and ticket-based response. Understanding the modern kill chain isn't academic — it's the foundation for every defensive investment your organization makes.
Stage 1: Initial Access — Buying the Door Key
Modern ransomware operations rarely hack their way in from scratch. The most common initial access method is purchasing pre-compromised credentials or network access from Initial Access Brokers (IABs) on dark web marketplaces. These specialized operators run mass phishing campaigns, credential stuffing operations, and vulnerability scans, then sell the resulting access to ransomware affiliates for a fraction of the eventual ransom. Huntress's analysis of 2024 incidents found that 72% of successful ransomware breaches began with a phishing email, and one in four involved IABs selling pre-obtained credentials.
Direct exploitation of unpatched public-facing systems remains the second most common vector. VPNs, remote desktop services, Microsoft Exchange servers, and file transfer appliances are the primary targets. Cl0p's exploitation of zero-days in MOVEit (2023) and Oracle E-Business Suite (CVE-2025-61882, 2025) — which enabled unauthenticated remote code execution against hundreds of organizations — demonstrated how a single unpatched vulnerability in a widely deployed product can cascade into hundreds of simultaneous breaches.
When an attacker purchases access from an IAB, the early stages of the kill chain — reconnaissance, weaponization, delivery — are effectively pre-completed. The ransomware affiliate starts at the "inside your network" stage. This is why modern attacks move so fast.
Stage 2: Establishing Persistence — Making Sure They Stay
Once inside, attackers immediately establish persistence to survive reboots, password changes, and basic remediation attempts. The most common techniques include deploying legitimate remote monitoring and management (RMM) tools like AnyDesk, SimpleHelp, and MeshAgent — tools that blend seamlessly with IT infrastructure. Registry key modifications, scheduled tasks, and startup folder scripts provide additional persistence vectors.
RMM tool abuse has become particularly prevalent because these tools are expected in enterprise environments. A legitimate AnyDesk installation looks identical to an attacker-deployed one, making detection extremely difficult without rigorous software inventory management.
Stage 3: Reconnaissance and Privilege Escalation
Attackers map the network, identify domain controllers, locate backup infrastructure, and enumerate high-value data stores. Tools like Sharphound (for Active Directory mapping), ADFind, and standard Windows network discovery utilities provide comprehensive visibility into the target environment. This stage also involves credential theft using tools like Mimikatz, Rubeus (for Kerberoasting and AS-REP Roasting attacks), and LSASS memory dumps.
The goal is domain administrator access. Once achieved, the attacker effectively owns the network. Huntress reported that ransomware operators took an average of 18 distinct actions between initial access and final payload execution — reconnaissance and privilege escalation account for the majority of those steps.
Bring Your Own Vulnerable Driver (BYOVD) attacks have become standard practice at this stage. Attackers deploy signed but vulnerable kernel drivers to the target system, then exploit them to disable endpoint detection and response (EDR) tools, antivirus software, and other security controls. This technique has been adopted widely across the ransomware ecosystem over the past two years.
Stage 4: Lateral Movement — Spreading Through the Network
With elevated privileges and disabled security tools, attackers move laterally through the network using Remote Desktop Protocol (RDP), Server Message Block (SMB), Windows Management Instrumentation (WMI), PsExec, and PowerShell remoting. The objective is to compromise as many systems as possible — particularly domain controllers, backup servers, and file servers — before deploying the ransomware payload.
A 2022 VMware Global Incident Response Threat Report found that lateral movement appeared in 25% of all security incidents tracked — a figure that has only grown as ransomware's prevalence has increased. In ransomware attacks specifically, lateral movement is nearly universal. Without effective network segmentation, a single compromised workstation can cascade into full domain compromise within hours.
Stage 5: Data Exfiltration — Stealing Before Encrypting
Double extortion is now the dominant ransomware model. Huntress found that 71% of ransomware incidents in their 2024 dataset involved data exfiltration before encryption — a figure that has continued to climb, with Coveware's Q3 2025 data showing exfiltration in 76% of tracked cases. Attackers identify and steal sensitive data — customer records, financial information, intellectual property, employee data — and upload it to attacker-controlled infrastructure. This data becomes the second lever of extortion: even if the victim restores from backups and declines to pay for a decryption key, the threat of public data exposure remains.
Exfiltration typically uses cloud storage services, custom exfiltration tools (Cl0p uses a proprietary tool called Teleport), or simply standard archive utilities to compress and upload data over HTTPS. Average exfiltration volumes now exceed 500 GB per breach, and some groups specifically target backup systems to ensure the victim has no clean recovery path.
Stage 6: Encryption and Ransom Delivery
The final stage is the one victims see: files become inaccessible, ransom notes appear, and the clock starts ticking. Modern ransomware payloads use hybrid encryption schemes — typically combining RSA for key exchange with AES or ChaCha20 for file encryption — that make decryption without the attacker's key mathematically impossible. Some variants, like the Chaos strain identified in September 2025 by Fortinet FortiGuard Labs, use a polymorphic engine that generates slightly different code on each compilation, defeating signature-based antivirus.
Ransomware operators also specifically target backup infrastructure during encryption. Shadow copies are deleted, backup agents are killed, and backup servers that weren't segmented from the production network get encrypted alongside everything else. The message is clear: your only recovery option is to pay.
Median ransom demands in 2025 ran approximately $1.32 million (Sophos), though the actual amounts paid fell significantly after negotiation — Sophos reported a median payment of $1 million, while Coveware's Q3 2025 data put the median payment at around $140,000, reflecting how aggressively victims and insurers are negotiating as well as a shift toward higher-volume, lower-demand attacks on mid-market targets. Recovery timelines vary significantly by organization: Sophos's 2025 survey found that 53% of organizations recovered fully within a week, while 18% took more than a month. The financial impact extends far beyond the ransom itself — incident response, legal fees, regulatory penalties, and business interruption costs often dwarf the ransom demand, with Sophos reporting average recovery costs (excluding ransom) of $1.53 million in 2025.
Breaking the Chain: Where Defenders Win
The kill chain model's greatest value is showing defenders where they can break the attack sequence. Every stage is an opportunity:
- Block initial access: Phishing-resistant MFA (FIDO2/hardware keys), aggressive patch management for public-facing systems, and email security that catches credential harvesting. This is where the highest ROI defensive investment lives.
- Detect persistence: Maintain a rigorous software inventory. Any RMM tool installation that doesn't match your approved list should trigger an immediate alert. Monitor for new scheduled tasks, registry modifications, and startup entries.
- Limit privilege escalation: Implement tiered admin accounts, enforce least-privilege access, and restrict LSASS access. Deploy credential guard where possible. If attackers can't get domain admin, the kill chain stalls.
- Contain lateral movement: Network segmentation is the single most effective control against ransomware propagation. Segment workstations from servers, production from backup infrastructure, and IT from OT. Restrict RDP, disable unnecessary SMB shares, and limit WMI/PowerShell remoting to authorized administrative systems.
- Detect exfiltration: Monitor for unusual outbound data volumes, connections to cloud storage services from servers that don't normally access them, and large archive file creation. Data Loss Prevention (DLP) tools and network traffic analysis provide visibility here.
- Survive encryption: Air-gapped, tested, immutable backups. This is the last line of defense and the one that determines whether a ransomware attack is a disaster or a bad week. Test restoration regularly. Ensure backup infrastructure is segmented from production networks.
Key Takeaways
- Speed is the attacker's advantage: Average time-to-ransom rose to 20 hours in 2025, as groups favored longer dwell times for stealth and data theft. The fastest groups — including Akira, Qilin, and RansomHub, three of the four groups Huntress identified as accounting for over half of all 2025 ransomware incidents — still deploy in around six hours. If your detection and response capability operates on a 24-hour cycle, you're already too slow.
- IABs compress the kill chain: When attackers buy pre-compromised access, they skip the first several stages entirely. Your perimeter defense is being bypassed before the ransomware operator even logs in. Focus on detecting post-compromise activity, not just preventing initial access.
- Data exfiltration is now standard: Huntress's 2024 dataset shows 71% of attacks involved stealing data before encryption; Coveware's Q3 2025 tracking puts that figure at 76%. Even perfect backups don't protect against the extortion threat of public data exposure. Data Loss Prevention and network monitoring are critical.
- Network segmentation is the most impactful control: Without segmentation, one compromised workstation leads to full domain encryption. With proper segmentation, attackers hit walls that slow them down and create detection opportunities.
- Backups are the last line, not the first: Air-gapped, immutable, regularly tested backups determine whether your organization survives a ransomware attack. But they don't prevent the breach, the data theft, or the operational disruption. Defense in depth across the entire kill chain is the only comprehensive strategy.
The modern ransomware kill chain is a masterclass in operational efficiency. Attackers have industrialized every stage, from initial access brokering to automated encryption deployment. Defenders who understand this chain — and invest in breaking it at multiple points — dramatically reduce their risk. Those who focus on a single control (backups alone, perimeter defense alone, or endpoint detection alone) are building a wall with only one brick. The attackers will find the gaps. They always do.