The conventional defense framework for ransomware — maintain good backups, practice restoration, pay nothing — was already inadequate before 2020. By 2025 it is not just inadequate; it is actively misleading organizations about the nature of the threat they face. Organizations that build their ransomware resilience posture around backup and restore are preparing to lose a battle that ransomware groups stopped fighting three years ago.
The tactical evolution is documented and specific. Double extortion — encrypting data and threatening to publish it unless ransom is paid — became the dominant model in 2020 when Maze ransomware group pioneered the combination at scale. By 2022, over 70% of ransomware incidents tracked by AIFox AI threat intelligence involved data exfiltration preceding encryption. In 2024, a significant fraction of incidents involved exfiltration without encryption at all, targeting organizations whose data sensitivity made publication threats more compelling than production disruption.
Restoring from backup addresses the encryption component. It addresses nothing about the exfiltrated data, which is now in the adversary's possession regardless of whether ransom is paid. The leverage shift is decisive: backup and restore eliminates the production disruption threat but leaves the data extortion threat fully intact.
The Modern Ransomware Kill Chain
Understanding why backup and restore fails requires understanding the complete attack sequence that ransomware groups execute before encryption begins. The encryption event — the moment when files become inaccessible and ransom notes appear — is typically the last step in an attack that has been running for days, weeks, or months.
The typical 2024 enterprise ransomware attack follows this sequence: initial access (most commonly through phishing or exploitation of internet-facing systems), persistence establishment (installing tools that survive reboots and provide reliable re-access), privilege escalation (obtaining domain administrator or equivalent credentials), reconnaissance (mapping the network, identifying backup systems and high-value data), lateral movement (spreading across systems to maximize impact), data exfiltration (exporting high-value data to attacker-controlled infrastructure, often over several days), pre-encryption preparation (disabling backups, deploying ransomware payload to all targeted systems), and mass encryption (executing across all targeted systems simultaneously).
The window for defense is enormous — potentially weeks. Detection of any step in the kill chain before the final encryption event allows intervention that prevents the worst outcomes. The challenge is that ransomware groups specifically choose tools and techniques designed to evade detection at each stage: living-off-the-land techniques using legitimate Windows tools (wmic, PowerShell, certutil, rclone), slow and patient exfiltration to cloud storage services (Mega, Dropbox) that are not blocked by perimeter controls, and dormant payloads that wait for a specific trigger before activating.
Detection Before Encryption: The Only Viable Strategy
The implication of the modern ransomware kill chain is direct: effective defense requires detecting the attack at one of the pre-encryption stages, not detecting the encryption itself. By the time encryption starts, the data theft has already occurred and the preparation phase has compromised enough of the environment that even rapid response cannot fully prevent harm.
The behavioral signals that reliably indicate ransomware staging activity — before any encryption occurs — fall into three categories that AIFox AI's detection engine monitors continuously.
Credential escalation patterns. Ransomware operators need domain administrator or equivalent credentials to deploy their payload across the environment effectively. The techniques used to obtain these credentials — Mimikatz running against LSASS, Kerberoasting attacks against service accounts, pass-the-hash lateral movement — generate distinctive behavioral signals in endpoint telemetry and authentication logs. A sequence of these signals, appearing on a host that has recently experienced external authentication anomalies, is a high-confidence ransomware staging indicator even before any data movement occurs.
Backup system targeting. Before executing mass encryption, ransomware operators disable or destroy backups to maximize leverage. This requires either administrative access to backup infrastructure or exploitation of backup software vulnerabilities. Specific commands — vssadmin delete shadows, wbadmin delete catalog, bcdedit disable recovery, disabling Windows Backup service — have almost no legitimate use cases and serve as near-certain indicators that a ransomware operator has achieved elevated access and is preparing for encryption.
Anomalous data staging and egress. Exfiltration before encryption involves staging data into archive files (7-zip, WinRAR) in non-standard locations followed by outbound transfer to cloud storage services or directly to attacker-controlled servers. The behavioral signature: a process with administrative privileges creating large archive files across multiple directories, followed by sustained outbound transfer volume to an endpoint that the organization has no relationship with. At 10 PM on a Tuesday. This pattern is not subtle, but detecting it requires the correlation of endpoint, network, and behavioral data that many organizations lack.
Why Traditional Endpoint Security Misses Ransomware Staging
Traditional endpoint protection platforms are primarily designed to detect malware based on file signatures and heuristic analysis of executable behavior. The techniques ransomware operators use during the staging phase are specifically chosen to evade these controls: they use signed Windows binaries (rclone for exfiltration, PsExec for lateral movement), abuse legitimate administrative tools, and generate activity patterns that individually resemble administrative work.
The detection gap is systematic, not incidental. A Mimikatz execution that has been obfuscated to evade signature detection, run through a PowerShell script with a new hash, against a LSASS process — the individual components may not trigger any endpoint detection rule. But the combination of that event with a preceding authentication anomaly and a subsequent rclone process uploading several gigabytes to MEGA.nz is an unambiguous attack chain that behavioral analysis can reconstruct and alert on.
This is precisely why behavioral detection with multi-source telemetry correlation detects ransomware staging at rates that signature-based endpoint detection cannot match. The signal is in the sequence and the combination, not in any individual event.
Containment Architecture That Survives a Ransomware Attack
Defense in depth for ransomware means assuming that the perimeter will eventually be breached and designing the internal environment to limit blast radius when it is. Specific architectural decisions significantly affect the scope of ransomware impact.
Network segmentation limits lateral movement. Ransomware operators use SMB shares, RDP connections, and administrative tools to spread across flat networks rapidly. Micro-segmented environments where servers are grouped by function with explicit allow-list communication rules require attackers to escalate through multiple controlled boundaries rather than moving freely. This does not prevent ransomware, but it limits the spread timeline and gives defenders more opportunity to detect and respond before full environment coverage is achieved.
Privileged access management limits credential exposure. If service accounts only have permissions to specific systems, if administrative credentials are stored in a PAM vault rather than reusable secrets, and if just-in-time privilege is required for administrative access, the credential escalation phase of a ransomware attack becomes significantly harder. Many of the most damaging enterprise ransomware incidents involved a single compromised privileged account that had standing access to every system in the environment.
Immutable backups eliminate the backup destruction leverage. Air-gapped, immutable backup systems that ransomware operators cannot reach, even with domain administrator credentials, restore the utility of backup and restore as a recovery strategy. Cloud-based immutable backup services (AWS S3 with Object Lock, Azure Immutable Blob) provide this capability without the cost and complexity of physical air-gap infrastructure.
The Response Decision That Nobody Prepares For
Every organization that faces ransomware eventually confronts the same question: pay or not pay? The responsible answer is "never pay, it encourages the ecosystem and doesn't guarantee data deletion." The practical reality is that organizations with inadequate recovery capability and exfiltrated sensitive data sometimes make different decisions under crisis conditions.
The organizations that avoid this dilemma are the ones that build their posture so that the ransomware operator's leverage is minimized before an incident occurs: detection capability that catches the attack before encryption, containment architecture that limits blast radius, recovery capability that does not depend on the attacker, and — critically — data minimization and DLP controls that mean the exfiltrated data is less sensitive than the attacker expects. When you know what data the attacker might have and have already disclosed it or prepared a response plan, the publication threat carries less leverage.
Ransomware groups are businesses. They maximize revenue by targeting organizations whose combination of production dependency and data sensitivity creates maximum payment pressure. Systematically reducing those pressure points is how enterprises remove themselves from the optimal target profile — not by installing any single control, but by making the attack harder to execute and the leverage harder to apply.
Dana Kim is a Threat Intelligence Analyst at AIFox AI specializing in ransomware ecosystem tracking, double extortion tactics, and enterprise ransomware defense architecture.