What Changed in Ransomware Tradecraft This Year
The dominant ransomware narrative — mass encryption, a ransom note, a countdown timer — describes an attack style that’s steadily losing ground to something quieter and, for defenders, harder to catch in time.
The shift: encryption is now optional
Modern ransomware operators increasingly treat encryption as a secondary lever, not the primary one. The actual leverage is exfiltrated data, held for a “pay or we publish” negotiation. Encryption gets used opportunistically, sometimes skipped entirely if it would trigger detection before exfiltration finishes.
This matters because most organizations’ incident response plans are still tuned to detect the loud failure mode — mass file encryption, backup deletion, ransom notes appearing on desktops — rather than the quiet one: large, slow, low-and-slow data transfers to attacker-controlled infrastructure over days or weeks.
Where the dwell time actually goes
In the intrusions worth studying, the bulk of dwell time isn’t spent on the initial compromise — initial access is often achieved within hours via phishing, exposed RDP, or a known vulnerability in an internet-facing service. The time goes into:
- Living-off-the-land lateral movement, using legitimate admin tooling (RMM software, PsExec, native cloud APIs) specifically to blend into normal operational noise.
- Identifying and staging high-value data — legal, financial, and customer records — before triggering any action that would show up on an encryption-focused detection rule.
- Establishing redundant access — multiple footholds so that killing one detected implant doesn’t end the intrusion.
What this means for defense priorities
- Egress monitoring deserves the same budget as endpoint detection. Large, sustained outbound transfers to unfamiliar destinations are often the earliest loud signal in an otherwise quiet intrusion.
- Assume the initial detection will be partial. Response playbooks need to account for redundant attacker access, not just “isolate the one infected host.”
- Tabletop the data-theft-only scenario, not just the classic encryption scenario. Many IR plans still end at “restore from backup,” which doesn’t address an extortion threat built entirely on stolen data.
The technical sophistication of ransomware operations hasn’t necessarily increased — but the operational discipline has, and defenses calibrated for the old, noisier playbook are increasingly fighting the wrong fight.
Related content
Want a second set of eyes on your security posture?
Let's talk about where your real exposure is.
Book an advisory call