Skip to main content
CyberSmart

What Actually Happens During a Ransomware Attack

CyberSmart
cybersecurity ransomware

Most people think ransomware is instant — someone clicks a bad link, the screen goes red, and files are encrypted. The reality is slower, more methodical, and more preventable than that.

The typical timeline

Weeks 1-2: Initial access

The attacker gets in. Usually through one of three doors:

  • A phishing email with a malicious attachment or link
  • A stolen or guessed password on a VPN, RDP, or email account without MFA
  • An unpatched vulnerability in internet-facing software

At this point, nothing visibly happens. The attacker has a foothold — usually one compromised workstation or account — and they’re being quiet about it.

Weeks 2-3: Reconnaissance and lateral movement

The attacker explores your network. They’re looking for:

  • Domain admin credentials
  • Where your important data lives
  • What backup systems you have (and how to disable them)
  • How many machines they can reach

This is the phase where managed detection and response (MDR) earns its cost. An MDR platform monitoring endpoint behavior will flag the unusual activity — a workstation connecting to systems it’s never talked to before, credential harvesting tools running, lateral movement patterns.

Without MDR, this phase is invisible.

Week 3-4: Staging

The attacker prepares the actual ransomware deployment. They’ll:

  • Disable or delete backups they can reach
  • Install the ransomware payload on as many systems as possible (dormant, waiting for activation)
  • Exfiltrate sensitive data (increasingly common — “double extortion” means they threaten to publish your data even if you restore from backups)

Day zero: Detonation

The ransomware activates, usually overnight or on a weekend. Every file on every reachable system is encrypted. The ransom note appears.

What determines whether you recover

Three things:

1. Do you have backups that survived? If your backups are on the same network the attacker had access to, they’ve been deleted or encrypted too. Isolated, air-gapped, or immutable cloud backups are the only ones that reliably survive.

2. How fast was the attack detected? If your MDR caught the lateral movement in week 2, the whole thing stops there. Clean up the compromised account, re-image the affected workstation, and move on. If nobody noticed until the ransom note, you’re in full recovery mode.

3. Do you have an incident response plan? Who do you call first? Your IT provider, your insurance carrier, legal counsel, law enforcement? What order? Who has authority to make decisions? The businesses that recover fastest are the ones who don’t have to figure this out on the day it happens.

The actual cost

Average ransomware ransom in 2025: $1.5 million for mid-size businesses. But the ransom is often the smaller number. The real cost is:

  • Business downtime (days to weeks)
  • Recovery labor
  • Legal and notification costs (if data was exfiltrated)
  • Reputational damage
  • Insurance premium increases

For a small business in southern Nevada, even a modest ransomware incident can cost $50,000-$200,000 when you add up the downtime, recovery, and follow-on costs.

What this means practically

The attack timeline has multiple intervention points. MFA stops the initial access. MDR catches the lateral movement. Isolated backups ensure recovery. An incident response plan reduces chaos.

No single tool prevents ransomware. But the businesses that have these layers don’t make the news.

If you’re not sure whether your current setup would survive a ransomware attack, a security assessment is the place to start.

Have questions about this topic? We're happy to help.

Contact Us ← All Posts