Ransomware Basics

How does ransomware work?

A typical attack moves through stages: initial access (often via phishing, stolen credentials, or an exploited vulnerability), establishing persistence, escalating privileges, moving laterally, exfiltrating data, and finally deploying the encryption payload. Attackers frequently dwell undetected for days or weeks before triggering encryption.

That dwell time is why recovery is so dangerous: backups taken during this period can already contain the threat. Elastio hunts continuously across recovery points so it can identify the clean boundary — the point in time before the attacker was present.

Last updated May 27, 2026

Related terms

Dwell Time Clean Boundary Continuous Hunt

Related Elastio resources

SolutionRansomware Readiness WhitepaperRansomware Recovery & Cyber Resilience Maturity Model BlogRansomware's Return to Encryption

See how Elastio proves clean recovery

Elastio hunts for ransomware inside your live, replicated, and backup data and pinpoints the last recovery point proven clean.

Explore the platform Request a demo

Related questions

How does ransomware infect?How is ransomware delivered?How does ransomware spread?How do most ransomware attacks happen?What does ransomware do?What does ransomware do to an endpoint device?

PreviousIs ransomware malware?NextHow does ransomware infect?