Encryption Doesn’t Start When the Attack Begins.

It Starts When the Attacker Is Ready.

Most ransomware incidents don’t begin with encryption.

They begin days, weeks, or sometimes months earlier — when an attacker quietly gains access to a network and starts preparing the environment for a coordinated attack.

By the time files begin encrypting, the attacker has typically already:

• Established persistence

• Escalated privileges

• Mapped the network

• Identified critical systems

• Disabled or bypassed security controls

• Located backup infrastructure

In other words, the outcome of the attack was decided long before encryption began.

This is why many organisations are shocked when ransomware succeeds despite significant investment in security tools such as EDR, identity protection, and security monitoring platforms.

The issue is rarely a lack of security tooling.

Instead, the problem is that most security architectures were designed to detect general threats, not to interrupt the specific operational workflow of ransomware attacks.

Understanding the ransomware kill chain explains why.

Understanding the Ransomware Kill Chain

Modern ransomware operations follow a structured and predictable attack model. Each stage prepares the environment for the next, allowing attackers to move from initial access to full encryption in a controlled sequence.

Stage 1: Initial Access

Every ransomware attack begins with a foothold.

Common entry points include:

• Phishing campaigns

• Compromised credentials

• Exploited vulnerabilities

• Remote access exposure (VPN or RDP)

• Supply chain compromises

Most organisations deploy multiple controls to reduce this risk, including email security, MFA, and vulnerability management.

However, attack surface can never be reduced to zero, meaning attackers eventually find an entry point.

Stage 2: Persistence

Once inside, attackers establish mechanisms to maintain access.

Typical techniques include:

• Scheduled tasks

• Registry modifications

• Backdoor services

• Command and control channels

• Remote management tools

Persistence ensures attackers can survive reboots or remediation attempts while continuing to expand their foothold within the environment.

Stage 3: Privilege Escalation

Next, attackers attempt to gain higher privileges, often targeting domain administrator access.

Common techniques include:

• Credential dumping

• Pass-the-hash or pass-the-ticket attacks

• Token impersonation

• Exploiting privilege escalation vulnerabilities

Once administrative privileges are obtained, attackers effectively control the environment.

At this stage, stopping the attack becomes significantly more difficult.

Stage 4: Lateral Movement

With elevated privileges, attackers begin moving across the network.

Their goal is to locate:

• Critical servers

• File storage systems

• Domain controllers

• Backup infrastructure

• High-value data

Lateral movement often relies on legitimate administrative tools such as:

• PowerShell

• Windows Management Instrumentation (WMI)

• PsExec

• Remote Desktop Protocol (RDP)

Because these tools are commonly used for legitimate administration, malicious activity can blend into normal operational behaviour.

Stage 5: Defence Evasion

Before deploying ransomware, attackers frequently disable or weaken security controls.

This may include:

• Attempting to disable EDR agents

• Killing security processes

• Removing monitoring services

• Deleting shadow copies

• Targeting backup infrastructure

By the time this stage is complete, the attacker has effectively cleared the path for encryption to occur without interference.

Stage 6: Encryption and Extortion

Only after the environment has been prepared do attackers deploy the ransomware payload.

This stage typically involves:

• Simultaneous encryption across endpoints and servers

• Data exfiltration to support double extortion

• Deployment of ransom notes

• Threats of public data release

Encryption often occurs extremely quickly — sometimes across thousands of systems in minutes.

By this point, the damage is already done.

Where Most Security Stacks Break Down

Most organisations today operate a mature security stack including:

• Endpoint Detection and Response (EDR)

• Email security platforms

• Identity protection

• Backup and recovery systems

• SIEM and SOC monitoring

Despite these investments, ransomware continues to succeed at alarming rates.

Research across the industry shows that the majority of organisations have experienced ransomware incidents that bypassed existing security tools.

This doesn’t necessarily mean those tools failed. In many cases, they detected suspicious behaviour somewhere within the attack chain.

The challenge is that detection does not always equal prevention.

The EDR Blind Spot

EDR platforms provide valuable visibility and detection capabilities. However, ransomware operators increasingly design their attacks specifically to evade them.

Modern campaigns frequently rely on:

• Living-off-the-land techniques

• Legitimate administrative tools

• Compromised credentials

• Vulnerable drivers used to disable security software

These techniques often appear indistinguishable from legitimate activity, meaning EDR tools may generate limited alerts until the attack is already well underway.

By the time security teams identify the threat, attackers may already have:

• Established persistence

• Moved laterally across the network

• Accessed sensitive data

• Prepared encryption payloads

At that stage, stopping the attack becomes extremely difficult.

Ransomware Moves Faster Than Traditional Response

One of the defining characteristics of modern ransomware is speed.

Once attackers launch encryption, thousands of systems can be affected within minutes.

Even well-staffed security operations centres cannot realistically:

1. Investigate alerts

2. Confirm malicious activity

3. Coordinate response

4. Contain the attack

…all within that timeframe.

This is why ransomware incidents often occur despite alerts being generated somewhere within the security stack.

Detection alone is rarely fast enough.

Why Ransomware Requires a Dedicated Defence Layer

Because ransomware follows a predictable operational workflow, defending against it effectively requires controls designed specifically to interrupt that workflow before encryption begins.

This is where purpose-built ransomware defence platforms such as Halcyon are introducing a new approach.

Rather than focusing on general threat detection, these platforms are designed to stop ransomware itself.

Capabilities typically include:

• Behavioural detection specific to ransomware techniques

• Blocking encryption processes before they execute

• Preventing attempts to disable security tools

• Capturing encryption key material during an attack

• Enabling rapid recovery of encrypted files

The goal is not simply to detect ransomware activity, but to prevent the encryption phase from ever completing.

Building a Ransomware-Resilient Security Strategy

Effective ransomware defence requires a layered model that combines:

Prevention

• Identity security

• Attack surface reduction

• Vulnerability management

Detection

• EDR/XDR platforms

• Security monitoring

• Threat intelligence

Ransomware-specific protection

• Encryption prevention

• Behavioural disruption

• Rapid recovery capability

Security leaders increasingly recognise that ransomware is no longer just another malware category.

It has evolved into a structured, human-operated attack model — and defending against it requires controls designed specifically to interrupt that model.

Final Thoughts

Most organisations already have security tools.

They have EDR.

They have backups.

They have monitoring.

Yet ransomware continues to cause operational shutdowns, regulatory exposure, and multi-million-pound recovery costs.

The real question is no longer:

“Do we have security tools?”

It is:

“Do we have controls specifically designed to stop ransomware?”

Understanding the ransomware kill chain is the first step.

Ensuring your security architecture can interrupt it is the next.

Interested in Learning More?

Ransomware continues to evolve faster than many traditional security controls were designed to handle. As attackers refine their techniques, organisations are increasingly reviewing whether their existing security architecture can effectively prevent encryption and minimise operational impact.

If this topic is relevant to your organisation, or you'd like to learn more about emerging approaches to ransomware defence, feel free to get in touch with the Cyber Vigilance team for a conversation.

‍