Arctic Wolf’s The State of Cybersecurity: 2025 Trends Report revealed that 23% of organizations experienced at least one significant ransomware attack in 2024. And these attacks remain difficult for organizations to remediate without succumbing to threat actor demands, with the same report finding 76% of victim organizations are electing to pay the ransom to regain access to their data and environment.
With both attacks and attack complexity increasing, it’s understandable that IT and security teams may feel like they’re fighting a losing battle against ransomware. But Arctic Wolf’s threat intelligence researchers have identified ten major threat actor tactics, techniques, and procedures (TTPs) found in the majority of our incident response engagements. Understanding how these TTPs are leveraged, where they fit within the MITRE ATT&CK framework (a “globally accessible knowledge base of adversary tactics and techniques based on real-world observations”), and how you can protect your environment against them, is the first major step to safeguarding your organization from ransomware attacks.
What Are Tactics, Techniques, and Procedures?
Tactics, Techniques, and Procedures (TTPs) refer to the patterns, activities, and methods of a threat actor or threat actor group. Simply, TTPs are how a cybercriminal conducts an attack.
There are three main parts to TTPs:
1. Tactics
Tactics are the high-level behavior and strategy of a threat actor or threat actor group. For example, a threat actor deciding to hold an organization for ransomware would be a tactic.
Common tactics include:
- Reconnaissance
- Delivery or exploitation
- Objective actions
2. Techniques
Tactics are realized through techniques, which are more intermediary steps in a threat actor’s plan. For example, a threat actor sending a phishing email to try to gain credentials to a system or application would be a technique.
Common techniques include:
- Network infiltration
- Lateral movement
- Malware launches
- Data transfers or modifications
3. Procedures
Procedures are the specific steps a threat actor or threat actor group takes, utilizing a specific technique, to execute an attack tactic. Procedures are the most detailed and specific component of the three. Because procedures are specific to a given incident, there is no set of common procedures. However, there are broader patterns of attacks we can identify, such as launching a social engineering campaign to gain credentials to encrypt a part of the network for a ransomware attack or utilizing stolen credentials to login to a user’s email account and launch a business email compromise (BEC) attack.
Explore TTPs in depth to discover how threat actors gain access to and move through a system, as well as how they successfully launch attacks of all kinds, not just ransomware.
The Top 10 Ransomware TTPs
Stage 3: Initial Access Techniques
In the modern cybersecurity world of cloud environments and hybrid work, threat actors have become adept at evading security solutions by pivoting rapidly and employing multiple paths to value. But every breach of an environment begins somewhere, a point the cybersecurity community refers to as “initial access.” This is the third stage of attack, as defined by the MITRE ATT&CK framework (following “reconnaissance” and “resource development”). Research from Arctic Wolf Labs reveals that ransomware attacks begin with threat actors gaining initial access through TTPs like the following:
T1133 — External Remote Services
Remote services like virtual private networks (VPNs) and remote desktop protocol (RDP) enable users to connect to internal network resources from anywhere in the world with a Wi-Fi connection. These services are managed by remote service gateways which handle connections and credential authentication. Ransomware affiliates and initial access brokers will leverage these externally facing remote services to obtain initial access into the environment.
Why Threat Actors Use It
Often, these services are not adequately protected, with inadequate configuration or outright misconfigurations leaving them exposed and vulnerable. Threat actors are often able to use brute-force or password-spraying techniques to uncover default system passwords and gain access to an organization’s environment.
Unsecured RDP led to the majority of ransomware cases investigated by Arctic Wolf in 2025. Explore this threat in depth with the Arctic Wolf 2025 Threat Report.
T1190 — Exploit Public-Facing Application
Public-facing applications are anything from email servers and VPN services to APIs and Microsoft Exchange Servers. Ransomware affiliates hunt for misconfigurations in these applications or try to leverage known vulnerabilities and zero days against them in the hopes these have not yet been remediated and can be used to obtain initial access.
Why Threat Actors Use It
Threat actors make disproportionate use of a relatively small collection of proven vulnerabilities — many of them more than a year old. The reason for this is simple: It takes a threat actor a great deal of time and effort to learn how to effectively exploit a particular vulnerability in a public-facing application to aid them in their ransomware attacks. Because of this learning curve, they’ll continue to use the vulnerability so long as there are environments where it hasn’t been patched or mitigated.
Stage 4: Execution
After obtaining initial access through one of the means listed in the previous section, threat actors run malicious code on the compromised endpoint, often via this popular TTP:
T1059.001 — Command and Scripting Interpreter: PowerShell
PowerShell is a Windows command-line interface and scripting environment which threat actors can abuse to achieve execution. In a threat actor’s hands, PowerShell can be used to deploy payloads, execute commands, download files from a command and control (C2) server, run credential harvesting tools, and more.
Why Threat Actors Use It
PowerShell continues to be a tool of choice within the cybercrime community for at least a few reasons:
1. PowerShell comes preinstalled on most Microsoft Windows systems targeted by threat actors, providing a convenient means of executing malicious code following initial access.
2. As a ubiquitous utility, PowerShell’s use isn’t by itself a symptom of an intrusion, which helps threat actors to evade detection by endpoint protection and monitoring solutions. By “living off the land” (LotL) — leveraging tools already used in a target environment to bypass detections and abuse allowlists — it makes it harder for security teams to investigate, as it’s more difficult to separate illegitimate use from legitimate use.
3. With some effort, PowerShell can be downgraded to an older version with reduced logging capabilities, making it even harder for security solutions to detect anomalous activity, especially when process creation and other critical events on endpoints are not externally monitored.
Stage 6: Privilege Escalation
Once threat actors have secured a foothold in the environment and established means of maintaining that access through system shutdowns, resets, and restarts, they turn their attention to expanding the scope of their attack. Here’s just one way they can do so:
T1078 — Valid Accounts
Whether gained through initial access brokers, purchased on the dark web, obtained through social engineering, or scraped from credential harvesting tools, threat actors looking to leverage this TTP are in possession of valid user credentials that grant them greater vertical and horizontal access to the environment, allowing them to enter restricted areas of networks.
Why Threat Actors Use It
Valid credentials are a golden ticket for threat actors. They require no special coding or tooling to use and are as easy as entering a username and password to execute. Given that 72% of Arctic Wolf Active Response Actions in 2024 were identity-based, credentials play a critical role in both attacks and attack response. And, by using valid credentials, the threat actor gains more time and raises fewer red flags, as a valid user accessing a portion of the environment for which they have permission doesn’t cause tools to alert until that user’s digital identity begins behaving in unexpected, erratic ways.
Stage 8: Credential Access
If the valid accounts used in the privilege escalation phase did not grant the threat actor domain account control, they will now attempt to obtain those privileges using one of several TTPs, like this common one:
T1003.001 — OS Credential Dumping: LSASS Memory
When a user logs on to the network, the Local Security Authority Subsystem Service (LSASS) stores their access credentials in its process memory. Threat actors can harvest this material using open-source tools such as Mimikatz — which pulls credential information like hashes, passwords, and Kerberos tickets.
Why Threat Actors Use It
While modern detection and response technology, if properly configured, can detect this kind of action, it remains popular with threat actors for the sheer amount of information stored in the LSASS Memory. If successful, they will gain access to high-privilege account credentials that will allow them to create new user accounts to maintain persistence, remove accounts to improve evasion, and greatly aid in lateral movement.
Stage 10: Lateral Movement
This stage is critical to a ransomware attack’s success. Without the ability to spread throughout the entire environment, encrypting or locking up all systems, or accessing vital data for exfiltration, threat actors are unlikely to be able to extort payment from an organization. Lateral movement TTPs like this ensure that ability:
T1570 — Lateral Tool Transfer
To infect as many endpoints and as much of a target’s environment as possible, ransomware affiliates will distribute executables and tooling within the victim environment through lateral tool transfer. By using public file-sharing tools like Dropbox or native systems tools like the ftp (file transfer protocol) utility, threat actors can pass their attack kit across the environment, infecting endpoints and servers as they go.
Why Threat Actors Use It
Many of these tools are used legitimately by organizations and often already exist in the environment. By leveraging them for their nefarious purposes, they can corrupt systems, servers and endpoints quickly, while also — as a bonus — hiding their movements.
Stage 11: Collection
This stage encompasses the processes threat actors use to gather valuable data from target environments before exfiltration or encryption. During this stage, they harvest sensitive files, credentials, databases, and system configurations to identify the most valuable or exploitable data. This stage is crucial to double- or triple-extortion attacks, which are now all but the default method used in ransomware attacks.
T1560 — Archive Collected Data
This TTP finds threat actors packaging the data they’ve collected into compressed or encrypted archives before moving to the next stage, exfiltration. They use off-the-shelf utilities like WinRAR, programming libraries like Python rarfile, or custom packing routines of their own devising. Compressing the data reduces the size of the data and can help hide file contents and filenames, something that is made even more effective by encrypting or, at a minimum, password-protecting the archived data. Additionally, because archive utilities are already present in many environments, their use doesn’t raise red flags until it’s too late.
Why Threat Actors Use It
Archiving data makes exfiltration faster, less visible, and more reliable. It lowers the data’s footprint, reduces network transfer time, and avoids volume-based detections. Archiving also allows attackers to group diverse file types like databases and logs into single payloads that can be chunked or split for staged transfer.
Stage 12: Command and Control
It’s now that the ransomware attack truly begins. The threat actor has gained access to your entire environment, gained the ability to spread their malware deep into your system, and has been able to remain inside long enough to execute the attack. Now, they communicate with their external command-and-control (C2) server, using a tool like Cobalt Strike, which issues commands to complete the attack.
T1219 — Remote Access Tools (RATs)
Here, threat actors use and abuse legitimate remote-access and remote-administration software like RMM agents and VPNs to create interactive sessions between their system and the target system for the establishment of command-and-control. They may install commercial tools like AnyDesk and TeamViewer or leverage built-in services like Remote Desktop Protocol (RDP) to establish redundant, hands-on access and to support tasking that is difficult to automate.
Why Threat Actors Use It
Remote access tools give attackers significant advantages in a ransomware attack. They provide a fast, two-way channel that permits the manual delivery and deployment of ransomware. Moreover, they can enumerate networks, access domain controllers, and execute data encryption with the same workflows and access that an admin would have, making detection much more difficult.
Stage 13: Exfiltration
As ransomware attacks have grown in frequency, the cybersecurity industry and business world have increased their efforts at thwarting threat actor efforts, including everything from new security tools to restoring from backups to refusing to pay ransoms. Rather than acting as a deterrent, this has spurred innovation, leading to double extortion — where threat actors exfiltrate the data before encrypting it, then threaten to release the proprietary and private info online if the organization won’t pay — and triple extortion, where the threat actors contact users who’ve had their data exfiltrated directly in the hopes of extracting additional payments from them.
T1048— Exfiltration over alternative protocol
Here, threat actors move their collected and archived data out of the victim environment through a network protocol or another channel other than their established command-and-control path. They might also send the data to an alternate network location already under their control. Common channels include FTP/SMB and HTTP(s), DNS tunneling, and things as simple as cloud uploads or emails. This is a flexible, multi-vector exfiltration TTP which helps threat actors bypass command-and-control traffic detections.
Why Threat Actors Use It
This exfiltration TTP aids threat actors in their efforts to evade detection by helping them blend in with normal environment traffic and cybersecurity solutions designed to monitor and control outbound traffic. As double- and triple-extortion has become the norm, threat actors have turned to reliable, covert exfiltration to steal sensitive data prior to encryption, and this TTP helps them do so while avoiding detection.
Stage 14: Impact
This is the attack’s end game; the moment when access and control evolves into damage. Threat actors seize critical systems, corrupt or encrypt data, and interfere with business continuity, all to achieve their financial goals. At this stage, attackers may also target system boot records, firmware, or hypervisors to further sabotage recovery pathways. Once an attack has reached this stage, the target organization’s operational capabilities have likely been impaired or destroyed, and the organization must act quickly to respond.
T1486 — Data encrypted for impact
The perennial favorite of this stage, this TTPS finds threat actors encrypting files, volumes, or entire systems to deny access and disrupt availability. Ransomware attacks will often include the disabling or deleting of shadow copies, the wiping of online backups, and the manipulation of file permissions to further prevent recovery. Well-implemented cryptography used in the encryptions — such as asymmetric algorithms (e.g. RSA) makes decryption without the key impossible and negotiation inevitable.
Why Threat Actors Use It
This is the heart and soul of a ransomware attack — where operational pain is created to bring about financial gain. With control over the decryption keys and (often) a full copy of the organization’s data already exfiltrated, threat actors gain powerful leverage. Encryption prevents workarounds, amplifies psychological stress, hampers or halts business operations, and often expedites the payment of a ransom.
How To Defend Against the Top 10 Ransomware TTPs
Like all attack vectors, the best defense involves a comprehensive security strategy that contains proactive and reactive components. By examining the common TTPs exploited by ransomware groups and individual threat actors, we can recommend the following actions, which should occur in parallel and continuously, to reduce your cyber risk while improving your security posture.
1. Endpoint Detection and Response (EDR)
EDR provides continuous visibility, behavioral monitoring, and rapid containment at the endpoint level — which is the most common entry and execution point for most ransomware attacks. EDR solutions analyze process behavior, file changes, and systems calls in real time to identify suspicious activity like the disabling of backups or privilege escalation. It also enables forensic investigation and root cause analysis, two vital aspects of post-breach analysis that helps harden environments against future ransomware attacks.
2. Identity and Access Controls
Be it through social engineering, the purchase of stolen credentials, or even a brute-force attack, access often begins with a password. In addition, credentials can be used by the threat actor to gain privileged access, allowing them to deploy ransomware into critical parts of the network.
Proactive and reactive measures security teams can take to improve credential security include:
- Implementing MFA
- Conducting dark web monitoring
- Hardening Active Directory
- Embracing the principle of least privilege access (PolP), supported by a zero trust access model, role-based access control, and privileged access management (PAM)
- Delivering comprehensive user security training
3. Ongoing Vulnerability Management
While zero-days make headlines, it’s often known, unpatched vulnerabilities that allow threat actors to gain access to a network or system. By staying on top of vulnerabilities, an organization goes a long way in hardening their attack surface. A full vulnerability management program prioritizes continuous vulnerability remediation and assessment, with other components of the program complementing and assisting overall remediation and mitigation.
4. Managed Detection and Response (MDR)
Monitoring the entire IT estate, not just the endpoint, is critical for preventing complex attacks, especially as threat actors utilize legitimate programs, such as PowerShell and Active Directory, for malicious ends. Without proper monitoring and detection, unusual behavior in those programs would go unnoticed. In addition, swift detection and response capabilities embedded in MDR solutions allow your organization to help stop a ransomware threat while the threat actors try to gain initial access or before they can make lateral movement.
5. Incident Response
An insurance-approved incident response (IR) team provides the full suite of services needed to recover from a cyber attack like ransomware and aim to quickly restore business operations to pre-incident conditions. A proper IR team will remove the threat actor from your environment, negotiate with threat actors, determine the root cause and extent of the attack, and restore critical systems.
Learn more about the ransomware ecosystem – from RaaS operators to ransom demands to how ransomware attacks work – with our interactive resource, Ransomware Explained.
Gain an in-depth understanding of some of the critical decision points organizations are faced with during a ransomware incident in our on-demand webinar, Experience Ransomware Without the Ransom.
Get an inside look at how Concierge Security experts within Arctic Wolf’s industry-leading Security Operations triage workflow investigated, escalated, and remediated a ransomware attack on a local government organization.
