Anatomy of a ransomware attack on an SMB — what we observe in 2026

The myth to correct first

Many executives picture a ransomware attack as an instantaneous event — a single action, a single moment, red screen. The reality, observed on the 2024-2025 incidents we have handled — a ransomware attack on an SMB typically lasts 5 to 9 days between initial compromise and encryption trigger.

These days are as many windows of opportunity to detect, contain, neutralise.

Day 0 — the entry

Three vectors dominate in 2026:

• Targeted phishing on a privileged account (50% of cases in our sample).
• Exploitation of an unpatched network vulnerability — VPN, exposed RDP, firewall, IoT equipment (25%).
• Compromise of a third-party account — IT provider, software vendor (15%). The remainder splits between USB keys, voice social engineering, and others.

At this stage, a well-configured EDR/XDR typically detects the initial anomaly in 60% of cases. This is our first window.

Days 1-2 — reconnaissance

The attacker explores. They list Active Directory accounts, network shares, critical servers, identify backups, locate service accounts with elevated rights. This phase leaves traces (abnormal enumeration, atypical LDAP queries, serial authentication failures) that a human SOC qualifies in 10 to 30 minutes.

On the attacks we stopped in 2025, 76% were stopped at this phase — well before encryption.

Days 3-5 — escalation and lateral movement

The attacker obtains administrator rights (often via a poorly protected service account), pivots to critical servers, disables the standard antivirus, identifies the backups to delete or encrypt them too.

This is the most technically visible phase — multiple privileged account authentications from unusual workstations, security service disablement, access to backup servers. An XDR with identity + endpoint + network correlation raises the red alert automatically.

Days 5-7 — exfiltration

Before encryption, modern attackers exfiltrate your data. This is the double extortion model — not only are your systems encrypted, but a public leak is promised if you don’t pay. Exfiltration typically uses common channels — personal cloud storage, outbound FTP, sometimes DNS exfiltration for sophisticated attackers.

A correctly configured firewall with DLP, and outbound monitoring, raise the alert at this phase.

Day 7-9 — encryption

The visible event. The encryption binary triggers simultaneously on compromised machines, often outside business hours (Friday evening, weekend, public holiday). The ransom note appears, online backups are already encrypted or deleted, activity stops.

At this stage, prevention is almost always too late. The question becomes — do you have offline immutable backups? A tested DRP? A communication plan? Cyber insurance?

The seven windows of opportunity

1. Detection at entry — EDR/XDR with behavioural detection.
2. Detection of reconnaissance — Active Directory + endpoint log correlation.
3. Detection of privilege escalation — XDR with identity context.
4. Detection of security tool disablement — automatic alert.
5. Detection of lateral movement — internal network flow monitoring.
6. Detection of exfiltration — DLP + outbound monitoring.
7. Detection of trigger — automated isolation response.

A well-tooled 24/7 human SOC catches 70 to 85% of attacks before the exfiltration phase. A poorly supervised EDR alone catches 15 to 30%.

And if the attack succeeds anyway

Three elements make the difference on the recovery phase:

• Offline immutable backups tested every quarter.
• Documented DRP with contractual RPO and RTO.
• Crisis cell activated in under one hour with forensic, legal and communication skills.

Our managed SOC includes the crisis cell and forensic phase in the contract. Our sovereign datacenter offers immutable backups compliant with GDPR and HDS requirements.

Written by the Hexceos SOC team.