Back to all articles

The locked screen demanding payment is the part everyone pictures when they hear "ransomware." It's also the last thing that happens, not the first. By the time that screen shows up, an attacker has usually already been inside the network for days, sometimes weeks — looking around, working out what's valuable, and quietly setting the stage. Understanding that timeline matters, because most of the best chances to stop a ransomware attack happen long before any file gets encrypted. Here's what the attack actually looks like, stage by stage.

Step 1: Getting In — A Phishing Email, a Weak Login, or a Skipped Update

Ransomware almost never starts with someone breaking through a firewall in dramatic fashion. It starts with one of three unglamorous doors: a phishing email that tricks someone into entering their password on a fake login page, a remote access login (like RDP) that's exposed to the internet with a weak or reused password, or a known software vulnerability that was never patched.

All three have something in common — they're quiet. Nothing breaks, nothing crashes, no alarm goes off. An employee clicks a link that looks like it's from a vendor, types their password, and moves on with their day, completely unaware that the credentials just went straight to an attacker.

This is why the first line of defense isn't a piece of software — it's a habit. A moment of hesitation before clicking, a password that's actually unique to that account, and multi-factor authentication (MFA) that makes a stolen password useless on its own. Most ransomware attacks could have been stopped right here, at the door.

Step 2: Sitting Quietly — Attackers Explore Before They Strike

Getting in is rarely the goal — it's the starting point. Once inside, an attacker typically doesn't do anything obvious right away. They look around. What kind of business is this? What systems exist? Where are the backups kept? Is there cyber insurance? Who has administrator access? This stage can last days or weeks, and it's almost entirely invisible to someone who isn't specifically looking for it.

The goal during this stage is to find your most valuable, hardest-to-replace data and, just as importantly, your backups — because a ransomware attack works far better for the attacker if you have no way to recover without paying.

"By the time you see a locked screen, the attack has already succeeded at everything except the part you can see."

This is exactly why monitoring matters as much as prevention. A business that can spot unusual login activity or strange account behavior during this quiet stage has a real chance to shut the attack down before it goes any further.

Step 3: Spreading — Moving From One Machine to the Whole Network

A single infected laptop is a bad day. A ransomware attack that has spread across the whole network is a business emergency. Attackers use the access they've gathered to move from one machine to the next, often working their way up to a domain administrator account — the kind of access that can touch nearly every computer on the network at once.

This is where network segmentation, the practice of keeping different parts of a network separated from each other, earns its keep. A network where every device can freely reach every other device gives an attacker a wide-open path. A network that's broken into smaller, separated pieces slows that spread down dramatically, sometimes stopping it in one area entirely.

This stage is also the last real opportunity to catch the attack before the damage becomes visible to everyone. After this point, the next thing anyone notices is usually the ransom note itself.

Step 4: The Encryption Event — When Everything Locks at Once

This is the moment most people associate with "a ransomware attack" — files across the network suddenly become unreadable, renamed with strange extensions, and unopenable. It typically happens fast, often overnight or over a weekend, specifically timed for when it's least likely to be noticed right away and hardest to respond to quickly.

Modern ransomware attacks frequently add a second layer before encrypting anything: the attacker quietly copies sensitive data out of the network first. This means even a business with solid backups still faces a real threat — the attacker can threaten to publish or sell the stolen data regardless of whether the ransom for decryption gets paid.

By this stage, the difference between a bad day and a business-ending event usually comes down to one thing decided long before the attack started: whether clean, isolated backups actually exist and actually work.

Step 5: The Ransom Note — and the Decision No Business Wants to Make

The ransom note appears on locked screens or as a text file scattered across folders, usually with a countdown, a payment demand in cryptocurrency, and a threat to leak stolen data or raise the price if you wait. This is the moment most business owners first learn they've been attacked, days or weeks after the attacker actually got in.

There's no comfortable answer here. Paying doesn't guarantee you get your data back, and it doesn't guarantee the stolen data won't be leaked anyway. Not paying can mean a slow, expensive recovery if backups are incomplete or untested. This is exactly why the earlier stages matter so much — the choices made weeks before the ransom note appears are what actually determine how bad this moment turns out to be.

If this happens to your business, involve law enforcement and a qualified incident response resource before making any decisions, and never assume backups are good until you've actually tested restoring from them.

What to Do Before Any of This Happens to You

Every stage above has a point where the attack could have been stopped or made far less damaging. None of the fixes require becoming a security expert overnight — they require a handful of concrete steps, done before you need them.

  • Turn on multi-factor authentication (MFA) everywhere it's available, especially email
  • Keep backups that are isolated from the main network, and actually test restoring from them
  • Patch known software vulnerabilities on a regular schedule, not "whenever there's time"
  • Segment the network so one infected device can't reach everything else
  • Put monitoring in place so unusual login activity gets caught during the quiet stage, not after
  • Write a short incident response plan now, so the first hour of an attack isn't spent figuring out who to call

At Brewed Security, we help businesses across Cincinnati, Dayton, and Northern Kentucky put these protections in place before an attacker ever gets a chance to use them — in plain English, with a clear plan, not a wall of jargon.

Brewed Security Consulting

Would you catch a ransomware attack before it spreads?

We'll look at your backups, monitoring, and network setup and give you a straight answer on where you'd stand — plain English, quoted upfront. The first call is always free.

Schedule a Free Conversation
Kylee Coffey

Written by

Kylee Coffey

Kylee is the cybersecurity specialist at Brewed Security Consulting in Cincinnati, Ohio. She specializes in the modern threats that target small and mid-sized businesses — from firewall vulnerabilities to ransomware — and translates complex security concepts into plain-English action plans business owners can actually use.