What Is Ransomware? Definition, Attack Chain, And Recovery

Ransomware is a type of malware that encrypts files on a target system and demands a ransom, typically in cryptocurrency, in exchange for a decryption key. Modern variants add data exfiltration and public-leak threats, creating double-extortion pressure even for organizations with working backups.

"In the first quarter of 2026, we received ransomware cases that are not commodity malware: they are hands-on-keyboard operators who already have domain admin before the payload runs," says Amr Fathy, senior Digital Forensics and Incident Response (DFIR) engineer with experience across incident response and kernel-level malware analysis.

Understanding the full attack chain is the prerequisite to any effective ransomware recovery strategy.

The core components of a ransomware attack

A modern ransomware attack is a multi-stage operation, not a single malicious payload. For MSPs (Managed Service Providers) responding to an active incident, recognizing which phase is in progress determines every containment decision from that point forward.

Initial access

Attackers rarely compromise environments through novel zero-days. Most intrusions begin with credentials or remote access that were already available to buy on forums or leak-sites.

The most common initial access vectors are:

• Exposed RDP (Remote Desktop Protocol) endpoints
• Unpatched VPN (Virtual Private Network) appliances with known CVEs (Common Vulnerabilities and Exposures)
• Phishing emails
• Credentials purchased from Initial Access Brokers (IAB)

Phishing lures have evolved toward ClickFix and OAuth consent attacks that bypass traditional link-scanning tools. IAB listings range from a few hundred dollars for small targets to over $50,000 for Fortune 500 access with domain admin privileges, according to Rapid7's 2025 Access Brokers Report. CISA's #StopRansomware advisory portfolio tracks active variants and the specific initial access vectors used by each affiliate.

For a detailed breakdown of how these entry points get exploited inside a client network, see how ransomware spreads on a company network.

Lateral movement and privilege escalation

Once inside, operators abuse legitimate Windows tooling to move laterally without triggering endpoint alerts. This approach, called Living-off-the-Land (LOLBins), is why EDR (Endpoint Detection and Response) alone cannot stop modern ransomware.

Common techniques include:

• WMI (Windows Management Instrumentation) and PowerShell for remote command execution
• Credential harvesting from LSASS (Local Security Authority Subsystem Service) memory
• Kerberoasting for service account credentials
• Group Policy Object abuse for persistence

Every one of these techniques looks identical to normal sysadmin activity in isolation. Detection depends on correlation: which account, which time, which source host, and which child processes spawned.

Data exfiltration before encryption

Most ransomware operators exfiltrate data before they encrypt anything. This is the double extortion model, which has made backup-only recovery obsolete as a standalone strategy.

Operators typically stage exfiltrated data in attacker-controlled cloud storage using tools such as Rclone or MEGAsync. By the time encryption begins, the sensitive data is already gone, and the leak-site countdown has started.

Encryption and ransom demand

The final stage detonates an encryption payload across servers, endpoints, and network shares. Modern ransomware uses hybrid encryption: symmetric AES-256 for file contents, and asymmetric RSA or ECC to protect the AES keys. The attacker retains the private key required for decryption.

A ransom note is dropped into affected directories and set as the desktop wallpaper. It contains payment instructions, a victim-specific Tor address for negotiation, and a deadline by which leaked data will be published, or the ransom amount will double.

For the technical mechanics of how files get encrypted and the four recovery paths available after an attack, see ransomware encryption methods.

Human-operated vs. automated ransomware: what makes 2026 attacks different

Not all ransomware is equal. The distinction between automated, commodity ransomware and human-operated ransomware is the single most important variable in predicting attack severity, dwell time, and recovery complexity.

Automated, or commodity, ransomware is spray-and-pray: a malicious executable delivered through phishing that detonates on a single endpoint and encrypts what it can reach.

Human-operated ransomware works differently. An adversary is actively navigating the network, adapting to the environment, and selecting targets for maximum leverage before detonation.

"Attackers load a signed but vulnerable driver into kernel mode, exploit it to terminate EDR processes, and encryption begins within seconds," says Fathy. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), is why modern ransomware feels faster and more catastrophic than attacks from five years ago.

Characteristics that define a human-operated ransomware attack:

• Active reconnaissance of file shares, Active Directory schema, and backup infrastructure
• Privilege escalation to the domain admin before any payload is deployed
• Manual disabling of security tooling through BYOVD, EDR tampering, or GPO manipulation
• Data exfiltration to attacker-controlled infrastructure before encryption starts
• Coordinated detonation across the environment during off-hours to maximize impact

The operational gap between the two models is best understood side by side:

Variants currently using the human-operated model include DragonForce, Akira, BlackBasta, and RansomHub. For a deep dive on one active affiliate program using this playbook, see DragonForce ransomware.

For an overview of how ransomware compares to other malware categories and where crypto, locker, and wiper variants fit, see types of ransomware.

Why ransomware matters for MSPs and their clients in 2026

Ransomware stopped being a commodity threat category years ago. For MSPs and their clients in 2026, the question is whether the stack will detect and contain it before encryption begins.

According to Mandiant's M-Trends 2026 report, the average dwell time for a human-operated ransomware intrusion was 14 days in 2025, up from 11 days in 2024. That window is enough for operators to disable backups, exfiltrate sensitive data, and compromise identity infrastructure before a single file is encrypted.

The average ransomware-related breach cost is $5.08M globally, according to the IBM Cost of a Data Breach Report 2025. Factoring in forensic investigation, breach notification, and regulatory exposure, the average cost of a ransomware incident for US organizations is $10.22 million. Frameworks like HIPAA, GDPR, and SEC cybersecurity disclosure rules add further regulatory pressure on top of direct recovery costs.

For MSPs, this shifts the service conversation from reactive cleanup to proactive prevention. Clients with cyber insurance expect documented controls. Auditors expect evidence that controls are operational. Boards expect a recovery time objective that they can present to regulators.

Common ransomware scenarios MSPs and their clients face

Ransomware does not hit every client the same way. Three scenarios dominate MSP incident response in 2026, and each requires a different initial response.

Active detonation detected mid-attack

An EDR alert fires. Files start encrypting across a file server. The incident is already in progress.

The first 60 minutes determine the recovery cost. Network isolation of affected segments, preservation of volatile memory for forensics, and immediate engagement of an incident response retainer are the actions that matter. Attempting to triage the incident internally without preserving evidence destroys the investigative trail that regulators and insurers will later require.

Post-encryption recovery and forensics

Encryption has completed. The ransom note is on every desktop. Production is down.

The operational priority is forensic imaging of at least one affected server before any recovery attempt begins. Rebuilding from backups without forensic imaging is the single most common reason for post-recovery reinfection. Attackers embed persistence mechanisms in Group Policy Objects, scheduled tasks, and Active Directory ACLs that survive a clean reinstall and re-compromise the environment within 48 hours, according to Fathy.

Pre-attack hardening when gaps are discovered

A vulnerability assessment flags exposed RDP, an unpatched VPN appliance, or a dormant privileged account. The client is not compromised yet, but the conditions that precede an attack already exist.

The intervention is straightforward: eliminate the exposure, rotate credentials, enforce MFA (Multi-Factor Authentication) on all remote access paths, and validate that backups are actually isolated from the production domain. NIST's ransomware risk management guidance outlines the baseline controls expected under most US regulatory frameworks. Most ransomware cases our team later investigates trace back to at least one of these gaps being documented in an audit report but never remediated.

How Proven Data helps with ransomware recovery

Proven Data operates a 24/7 ransomware and breach response practice staffed by DFIR engineers with experience across kernel-level malware analysis, cryptographic recovery, and cyber negotiation. Our team has handled ransomware cases spanning every major variant from WannaCry through the 2026 human-operated RaaS ecosystem.

Engagement typically follows three phases:

1. Immediate containment with forensic imaging
2. Recovery path evaluation
3. Post-incident hardening

Recovery evaluation covers decryption options, backup restoration, or cyber negotiation. Post-incident hardening includes full forensic reporting for insurance claims and regulatory requirements.