The ransom note appears on every screen in your office. Files are encrypted. Systems are locked. Someone is demanding $85,000 in Bitcoin within 72 hours.
Everyone panics about the ransom. But here is what your incident response team knows — and what most business owners have never been told:
The attacker has been living inside your network for three weeks.
The Ransom Note Is Not the Beginning. It Is the End.
Modern ransomware attacks are not smash-and-grab operations. They are methodical, patient, and devastatingly thorough. Security researchers call the period between initial compromise and the final payload detonation the dwell time — and it averages between 10 and 24 days depending on the threat group, with some of the most sophisticated operations staying hidden for months.
During that entire window, the attacker is not sitting idle. They are working. And what they do during dwell time is precisely what makes ransomware so catastrophic compared to other types of security incidents.
What Attackers Actually Do While You Are Not Looking
Week One: Getting In and Getting Comfortable
Initial access almost always comes from one of three vectors: a phishing email that harvests credentials, an exposed Remote Desktop Protocol port with a weak password, or an unpatched vulnerability in internet-facing software. Once inside, the first priority is simple — do not get caught.
The attacker establishes a quiet foothold, typically a single compromised user account running in the background. Then they study your environment carefully. What software is running? What does the network architecture look like? Who are the administrators? Where is the sensitive data stored? And critically — where are the backups?
Week Two: Lateral Movement
Now they start spreading. Using the initially compromised account as a base, they escalate privileges — often through unpatched local vulnerabilities, misconfigured services, or by harvesting credentials from memory — until they reach domain administrator rights. With those rights, they can access every machine on your network.
This phase is called lateral movement, and it is where your security tooling either catches the intruder or misses them entirely. Most small businesses do not have the monitoring coverage to detect slow, deliberate lateral movement. The attacker knows this and moves carefully, mimicking the kind of admin activity that blends into normal network noise.
Week Three: The Setup
Before a single file is encrypted, sophisticated ransomware groups execute three critical preparatory steps:
- Exfiltrate your data first. Customer records, financial statements, employee files, contracts, intellectual property — they copy it all to their infrastructure before the attack begins. This enables double extortion: pay the ransom for a decryption key, or pay a second ransom or they publish everything publicly. Many victims end up paying twice.
- Identify and destroy your backups. Cloud backup connections, NAS drives visible on the network, Windows shadow copies, tape backup software — they map all of it and delete or pre-encrypt whatever they can reach. This is why the phrase restoring from backup is often not the relief businesses expect it to be after an incident.
- Disable your security software. Antivirus processes are terminated. Windows Defender is turned off. EDR agents are killed where possible. They are methodically clearing the path for the final strike before pulling the trigger.
Then, when everything is staged — almost always on a Friday afternoon, a holiday weekend, or the middle of the night — they detonate.
Why Your Backup Might Not Save You
Business owners often take real comfort in knowing they have backups. Backups are absolutely critical and you should have them. But a backup strategy designed without ransomware dwell time in mind is dangerously incomplete.
If your backups run nightly and an attacker has been in your network for 18 days, every backup from the past 18 days may already be compromised — either encrypted, deleted, or seeded with malware that will re-infect your systems the moment you restore.
A genuinely ransomware-resilient backup strategy requires four things working together:
- Immutable backups — stored using write-once technology that cannot be modified or deleted by any account, including administrator accounts
- Offline or air-gapped copies — physically or logically disconnected from your primary network so an attacker with domain admin credentials cannot reach them
- Deep retention windows — going back at least 30 to 90 days so you can realistically restore to a point that predates the initial compromise
- Regular, tested restores — because a backup you have never verified actually works is not a backup. It is a hope.
How to Catch Attackers During Dwell Time
The goal is to detect and evict the attacker before they pull the trigger — not after. That requires visibility into your environment that most small businesses simply do not have today.
Endpoint Detection and Response
EDR tools operate on a fundamentally different model than antivirus. Instead of matching known malware signatures, they watch for behavioral anomalies — a user account authenticating at 3 AM from an unusual location, a process attempting to read thousands of files in rapid sequence, a script trying to disable security services. These are behavioral attack signatures, and a properly tuned EDR catches them in real time.
SIEM and Centralized Log Monitoring
A Security Information and Event Management platform aggregates logs from endpoints, servers, firewalls, and cloud services, then correlates them to surface patterns that no single log source would reveal alone. Multiple failed logins from one IP followed by a successful authentication at an unusual hour from a different location — that is a red flag that only becomes visible when you can see the full picture. Without centralized log aggregation, you would never connect those dots.
Managed Detection and Response
For small businesses, the most practical and cost-effective path to real coverage is a Managed Detection and Response service — essentially a dedicated security operations center monitoring your environment around the clock on your behalf. When something suspicious happens at 2 AM on a Sunday morning, a trained analyst is alerted and responds. That is the level of coverage that actually catches attacks during dwell time, before the ransom note ever appears.
The Question You Need to Answer Honestly
Ask yourself right now: if an attacker had been inside your network since last Tuesday, how long would it take you to know? An hour? A week? Would you ever find out on your own?
If you cannot answer that question with genuine confidence, you have a visibility gap. And visibility gaps are precisely what ransomware groups depend on. They are not looking for the most hardened networks — they are looking for the ones where nobody is watching.
At YourTech, we help small businesses across Delray Beach to West Palm Beach close that visibility gap through EDR deployment, immutable backup architecture, and managed monitoring that gives you real, continuous eyes on your network. Not a quarterly report. Not an annual audit. Continuous coverage.
Because the ransom note is not the attack. The attack started weeks ago.
Contact YourTech today for a security assessment. Find out what might already be in your network — before someone else finds it for you.