Ransomware attacks progress along a well-known kill chain. Attackers start by gaining entry to your infrastructure, typically via email phishing or by exploiting virtual private network (VPN) weaknesses or Windows Remote Desktop Protocol (RDP), and then traverse along the chain to install malware, elevate to domain administrator privileges, seek out important hosts, disable security software, and deploy the encryption package.
The process takes time. Anywhere from a few days to several weeks can elapse before the final package is installed and the ransom request is delivered.
The key to stopping ransomware is to detect its presence as early in the kill chain as possible and neutralize it before it can carry out its mission.