Ransomware TTPs: Initial Access, Lateral Movement, and the Real Breach Path
Lead Summary
Modern ransomware is rarely a single intrusion event. It is an access economy followed by deliberate internal expansion.
Visual Direction
An intrusion path map from exposed edge systems to Active Directory, privilege escalation, and domain-wide impact.
Ransomware Is an Operational Business Model Now
Treating ransomware as a single malware event fundamentally misreads its current structure. Modern ransomware operations function as a layered, role-separated ecosystem:
initial access brokers obtain and sell entry points into target environments.
affiliates acquire access, move laterally, and escalate privileges to achieve domain-level control.
operators manage the data exfiltration, encryption, and extortion stages.
The initial entry vector has shifted substantially. Phishing remains a factor, but exposed edge infrastructure now accounts for a disproportionate share of documented ransomware intrusion paths.
Why Edge Devices Keep Appearing at the Start
VPN gateways, firewalls, and remote access appliances occupy the network boundary and typically lack the endpoint detection coverage defenders rely on for managed workstations. Many organizations also face slower patch cadences for these devices due to availability concerns and change management overhead. For threat actors, this combination is operationally attractive: a single remotely exploitable flaw on an edge device delivers reach, stealth, and interior network proximity in one move.
The repeated appearance of Fortinet, Ivanti, Citrix, and similar products in ransomware incident reports is not coincidental. Public-facing edge vulnerabilities can offer a cleaner, more scalable initial access path than spear-phishing at scale.
The Broker Economy Matters
Initial access brokers do not typically deploy ransomware themselves. Their role is acquiring and monetizing a foothold: an active session, a persistent webshell, stolen VPN credentials, or reliable low-privilege remote access. The next operator in the chain purchases that access and treats the environment as a workable target, eliminating the need for their own initial compromise operations.
What Happens After Entry
The post-access phase is predominantly about environmental reconnaissance and privilege expansion:
BloodHound or SharpHound to enumerate and visualize Active Directory trust paths and attack vectors.
Kerberoasting against service accounts configured with weak or guessable passwords.
LSASS memory access and credential dumping using tools ranging from Mimikatz to custom loaders.
NTDS.dit extraction from domain controllers to obtain the full credential database.
Once this phase is complete, the intrusion is no longer about one vulnerable device. The entire Active Directory domain is within the attacker's operational scope.
Ransomware Kill Chain: Stage-by-Stage Defender View
| Stage | Attacker Activity | Detection Opportunity |
| --- | --- | --- |
| Initial Access | Exploit edge device (VPN/firewall CVE) or purchase IAB access | Alert on exploit attempts against edge products; monitor IAB forums |
| Persistence | Deploy webshell or backdoor account | Unusual new accounts, unexpected scheduled tasks, web server child processes |
| Reconnaissance | BloodHound/SharpHound enumeration of AD | Excessive LDAP queries from non-admin hosts; DCSync from unexpected sources |
| Credential Theft | Kerberoasting, LSASS dump, NTDS.dit extraction | Service ticket requests for high-value accounts; LSASS access by non-system processes |
| Lateral Movement | Pass-the-hash, pass-the-ticket, remote service abuse | Lateral SMB/WMI from workstations; anomalous admin share access |
| Data Exfiltration | Archive and transfer sensitive data before encryption | Unusual outbound volume; Rclone or cloud sync tools on endpoints |
| Encryption | Deploy ransomware payload across environment | Mass file rename events; VSS deletion commands; ransom note creation |
The critical insight: most organizations only detect at the encryption stage — the last row. Every row above it is a missed opportunity.
The Defender's Practical Takeaway
Detecting ransomware at the encryption stage is failing late. The meaningful detection and prevention opportunities exist at initial access, lateral movement, and credential operations. If exposed edge vulnerabilities, weak service account configurations, and exploitable domain trust paths coexist in the same environment, the attacker's kill chain is already structurally assembled. Defenders need to see those three layers together, not in isolation across separate tools and teams.
MyVuln Perspective
MyVuln delivers meaningful value in this context only when it surfaces three interconnected layers simultaneously:
which edge systems carry actively exploited vulnerabilities and what their current patch status is.
which exposures have entered the known-exploited set relevant to ransomware operator TTPs.
how a given edge vulnerability connects to plausible post-exploitation lateral movement paths inside the environment.
MyVuln's KEV-correlated asset view does exactly this: when CISA adds a Fortinet or Ivanti CVE to its Known Exploited Vulnerabilities catalog, MyVuln immediately surfaces which assets in your inventory are affected and flags any open exposure to the internet — turning a government advisory into an internal escalation ticket in minutes, not days. At that point, a CVE record stops being a line in a remediation report and becomes the first identified link in a documented ransomware kill chain — a framing that drives urgency and organizational alignment far more effectively.
MyVuln Research Team
Cybersecurity intelligence and vulnerability research.