There’s a popular image of ransomware: you open a bad email attachment, your screen suddenly locks up, and a skull demands Bitcoin. That image is about a decade out of date. Modern ransomware is not a single moment of misfortune — it’s a carefully orchestrated, multi-stage intrusion that often unfolds over days or weeks before you ever see a ransom note.
Understanding how it actually works matters, because the encryption everyone fears is one of the last stages, not the first. By the time your files lock, the attackers have usually already been inside your network for some time, quietly stealing your data. And the numbers are sobering: ransomware accounts for 44% of all recorded data breaches according to the 2025 Verizon Data Breach Investigations Report, with more than 140 distinct ransomware brands active during 2025.
Here’s how a modern attack actually unfolds.
Stage 1: Initial Access
Every ransomware attack begins with a way in. In 2026, the dominant entry point is no longer the classic email attachment — it’s stolen credentials. Bitdefender’s analysis found that ransomware groups are increasingly prioritising identity-first compromise, stealing usernames and passwords rather than relying on active exploitation.
The common entry routes are compromised VPN accounts, exposed remote services, unpatched applications, and AI-generated phishing emails that convincingly impersonate trusted senders. Once an attacker has valid credentials, they don’t need to “break in” at all — they simply log in, looking exactly like a legitimate user. This is why the old advice of “don’t click suspicious links” is necessary but no longer sufficient.
Stage 2: Reconnaissance
Once inside, attackers don’t immediately start encrypting. They look around. This reconnaissance stage involves mapping the network, identifying where the valuable data lives, locating backups, and understanding the security tools in place. They want to know what’s worth stealing, where the crown jewels are, and what might stop them.
This stage is where the attack is most detectable — and most often missed. The activity looks like normal network behaviour because the attacker is using legitimate credentials and built-in tools. Organisations with strong visibility into identity, access, and behavioural anomalies can catch attackers here. Most organisations don’t.
Stage 3: Lateral Movement
Having mapped the environment, attackers spread. Lateral movement is the process of expanding from the initial foothold to other systems across the network — escalating privileges, compromising additional accounts, and working toward the high-value targets identified during reconnaissance.
A concerning 2026 development is the weaponisation of “EDR-blinding” techniques. Attackers now use vulnerable drivers — a tactic called Bring Your Own Vulnerable Driver, or BYOVD — to disable the endpoint detection and response tools that would otherwise catch them. Where this used to take two or three separate stages, ransomware groups have started embedding the vulnerable driver directly into their malware, collapsing defence evasion and execution into a single rapid step.
Stage 4: Data Exfiltration
This is the stage most people don’t know about, and it’s arguably the most damaging. Before encrypting anything, modern ransomware operators steal your sensitive data — copying it to their own servers. This enables what’s called double extortion: even if you have perfect backups and can restore everything, the attackers still hold your stolen data and threaten to publish it unless you pay.
The speed here has increased dramatically. The Palo Alto Networks Global Incidents Report of 2026 found that the fastest attacks reached data exfiltration in just 72 minutes in 2025 — down from 285 minutes in 2024. That’s roughly an hour from initial access to your data being stolen. There is very little time to react.
In fact, a growing 2026 trend is extortion without any encryption at all. With more victims refusing to pay for decryption keys, some groups now skip encryption entirely — they steal the data and threaten disclosure as their sole leverage. They’ve literally taken the “ware” out of ransomware.
Stage 5: Encryption
When encryption does happen, it’s fast and comprehensive. Modern ransomware locks files across the entire network using strong cryptographic algorithms that are effectively impossible to break without the decryption key. Attackers specifically target backups first to remove your ability to recover, then encrypt production systems to maximise disruption.
Notably, ransomware developers are now future-proofing their encryption. Some 2026 variants use post-quantum cryptographic algorithms like Kyber1024 — designed to remain unbreakable even against future quantum computers. The criminals are thinking long-term.
Stage 6: Extortion
Finally, the ransom note appears. The demand typically combines two threats: pay to get the decryption key, and pay to prevent your stolen data from being published. Modern operations are remarkably professionalised — some groups offer “customer support” and even, as seen with the Qilin group, a “Call Lawyer” feature to pressure victims during negotiation.
Encouragingly, the share of victims who paid dropped to 28% in 2025, as more organisations improve their backup strategies and refuse to fund criminal operations. But the shift toward pure data-theft extortion is partly a response to that resistance — attackers adapting their model to maintain leverage.
Why This Matters for Defence
Understanding ransomware as a multi-stage process rather than a single event completely changes how you defend against it. If your only protection is at the encryption stage, you’ve already lost — your data is stolen and the attackers are deep in your network.
The most resilient organisations in 2026 focus on early-stage detection: monitoring for unusual login patterns, credential abuse, and lateral movement before encryption ever happens. The core defences that actually work are phishing-resistant multi-factor authentication to stop credential-based initial access, network segmentation to limit lateral movement, behavioural monitoring to catch reconnaissance, and immutable offline backups so encryption loses its leverage.
Ransomware has evolved into a repeatable business process — the criminals have playbooks, supply chains, and service models. The defenders who succeed are the ones who understand that playbook stage by stage, and intervene before the attack reaches the part everyone fears.
