Executive Summary

Modern ransomware is not an event. It is a campaign: a sequence of causally linked stages that unfolds over days or weeks before encryption begins. The security industry's obsession with detecting ransomware at the encryption stage is the equivalent of treating a robbery as a problem that starts when the safe opens.

This paper examines the full causal anatomy of contemporary ransomware campaigns, identifies where the real detection leverage sits, and demonstrates how causal chain analysis changes ransomware defense from reactive containment to something you can actually get ahead of.

The Modern Ransomware Timeline

CrowdStrike's 2024 Global Threat Report put the median dwell time for ransomware actors at 16 days. For financially motivated attacks specifically, 18 days. That is 18 days between initial access and impact, 18 days during which the attack is actively progressing through stages that leave causal fingerprints in your telemetry.

The canonical modern ransomware campaign, derived from analysis of LockBit 3.0, BlackCat/ALPHV, and Cl0p intrusions, follows a consistent causal sequence:

Stage 1 - Initial Access (T1566, T1190, T1195)

Phishing email with a weaponized attachment, exploitation of a public-facing application, or supply chain compromise. Entry establishes a foothold on one endpoint.

Stage 2 - Execution (T1059, T1204)

Payload execution via PowerShell scripts, Living-off-the-Land binaries, or malicious macros. Attackers avoid dropping traditional malware where possible, preferring to weaponize legitimate tools.

Stage 3 - Persistence (T1053, T1136, T1543)

Scheduled tasks, new local accounts, or service installation. The attacker ensures they maintain access even if the initial foothold is discovered and cleaned.

Stage 4 - Privilege Escalation (T1068, T1078, T1134)

Local privilege vulnerability exploitation, valid account abuse, or token impersonation. Administrative access is required for the stages that follow.

Stage 5 - Defense Evasion (T1070, T1562, T1027)

Log clearing, security tool tampering, obfuscation. The attacker actively works to reduce their causal fingerprint.

Stage 6 - Credential Access (T1003, T1558, T1552)

LSASS dumping, Kerberoasting, extraction from credential stores. Credentials for lateral movement.

Stage 7 - Discovery (T1016, T1018, T1082, T1083)

Network reconnaissance, system enumeration, file system mapping. The attacker maps the environment to identify valuable targets.

Stage 8 - Lateral Movement (T1021, T1550)

Using harvested credentials or Pass-the-Hash, the attacker moves to additional systems: backup servers, domain controllers, file shares.

Stage 9 - Exfiltration (T1048, T1041)

Data leaves before encryption. Modern ransomware operators run double extortion: the threat of publishing stolen data is the second ransom lever.

Stage 10 - Impact (T1486, T1490, T1489)

Backup deletion, Volume Shadow Copy removal, encryption deployed across the network.

Most detection programs detect Stage 10. Occasionally Stage 9. Almost never Stage 3 or 4.

Where Detection Leverage Actually Lives

Not all stages offer equal leverage. Causal analysis of these campaigns reveals a consistent pattern: detection leverage peaks in Stages 3 through 6, decreases sharply in Stages 7 and 8, and approaches zero by Stage 9.

Stages 3 through 6 are where attackers perform actions with high causal specificity: things that legitimate users do not do in the combinations and sequences that characterize attack preparation. Scheduled task creation followed by credential dumping followed by LSASS reads is not a pattern produced by any legitimate enterprise workflow. It is, however, exactly the preparation pattern of every major ransomware campaign in the past three years.

Current tooling evaluates each of these events independently. Scheduled task creation is common, often suppressed. LSASS access is common for AV and EDR, often suppressed. Token impersonation depends on context. Each individually looks like noise. Together, causally linked in sequence, they constitute a near-certain ransomware preparation signal.

By Stage 9, the attacker has achieved their primary objectives. Data is already leaving or already gone. Detecting encryption at Stage 10 enables containment, not prevention. The business case for causal detection is not just accuracy, it is timing. Detection at Stage 4 means you isolated two compromised workstations. Detection at Stage 10 means you rebuilt your infrastructure.

The BlackCat/ALPHV Pattern in Practice

BlackCat/ALPHV operations in 2023-2024 exhibited a consistent causal pattern:

  • - T+0h: Phishing payload delivered, user executes document, macro spawns cmd.exe
  • - T+0h: cmd.exe spawns powershell.exe with encoded command, downloads secondary payload
  • - T+2h: Secondary payload writes scheduled task for persistence
  • - T+4h: Scheduled task executes, LSASS dump initiated
  • - T+6h: Credentials used to authenticate to domain controller via SMB
  • - T+8h: Domain controller enumeration using net and dsquery
  • - T+24h: Mass SMB lateral movement begins

MITRE technique sequence: T1566.001 to T1059.003 to T1059.001 to T1053.005 to T1003.001 to T1021.002 to T1018 to T1021.002 at scale.

TRA-CE's causal chain engine builds this chain from raw events, linking nodes via process lineage (T+0h through T+4h are PROVABLE by parent-child process relationship) and temporal-plus-technique correlation (T+4h through T+24h are MIXED, corroborated by MITRE technique sequence alignment).

The chain reaches detection threshold at T+4h: the LSASS dump, eight hours after initial access and twenty hours before mass lateral movement. That is the intervention window.

The counterfactual analysis from this chain: Application Allowlisting breaks it at T+0h (document macro execution blocked). Credential Guard breaks it at T+4h (LSASS protected memory). Network segmentation blocking SMB between endpoints and domain controllers breaks it at T+5h. Three controls, three distinct breaking points, all identified from the causal structure of the chain.

Backup Infrastructure: The Blind Spot Within the Blind Spot

One consistently underappreciated element of modern ransomware campaigns is the deliberate targeting of backup infrastructure. Stages 8 and 9 specifically include lateral movement to backup servers and shadow copy deletion, because the attacker understands that backup integrity is the primary recovery path.

Current backup security assumes integrity unless breach is detected. Causal analysis of lateral movement patterns can identify when a compromised identity is accessing backup infrastructure outside their normal behavioral baseline, and it can do this before the backup is deleted rather than after.

TRA-CE's Trust Drift component tracks access patterns to high-value infrastructure including backup servers, domain controllers, and financial systems as a distinct behavioral dimension. An identity whose access pattern shifts toward backup infrastructure while appearing in an active causal chain involving credential dumping generates a compound signal: Trust Drift score combined with causal chain membership. That combination carries an extremely low false positive rate.

The Exfiltration Problem

Double extortion means that perfect ransomware prevention at the encryption stage does not prevent the breach. The data has already left.

Causal analysis of exfiltration at Stage 9 focuses on mechanism rather than volume. Modern ransomware actors use legitimate cloud storage services for staging, which makes volume-based anomaly detection unreliable. What they cannot disguise is the causal chain producing the data: file enumeration, archiving, upload.

The causal pattern of T1083 (file enumeration) followed by T1560 (archive collection) followed by T1048 (exfiltration via alternative protocol) is specific enough to generate a MIXED-grade chain alert at the collection stage, before the upload, and therefore before the data leaves the organization's control.

Practical Recommendations

For security programs building ransomware defense around causal analysis:

Instrument the leverage window. Ensure telemetry coverage for Stages 3 through 6: process creation with full parent-child lineage, LSASS access events, scheduled task creation, service installation, authentication events with device context. These are the events that build PROVABLE and MIXED causal chains in the high-leverage detection window.

Define causal baselines for high-value infrastructure. Domain controllers, backup servers, and financial systems should have explicit causal baseline models. Access to these systems that cannot be traced to a legitimate causal antecedent should escalate automatically.

Use counterfactual analysis to prioritize controls. After every ransomware simulation or tabletop exercise, run causal counterfactual analysis to identify which controls would have broken the chain at which stages. This gives your security program a prioritized, evidence-based control investment roadmap rather than a compliance checklist.

Grade your detections. A PROVABLE chain at Stage 4 is a different response priority than an INFERRED chain at Stage 8. Confidence grading enables appropriate response escalation without flooding incident response teams with low-confidence noise.

Conclusion

Ransomware is a causal phenomenon. It unfolds in sequence. Each stage is produced by the previous one. The detection leverage is in the early stages, where causal fingerprints are distinctive and intervention preserves recovery options.

Detecting ransomware at encryption is not a security program. It is an incident response program. Causal chain analysis moves the detection point 12 to 18 days earlier in the campaign timeline. For most organizations, that is the difference between a security event and an existential crisis.

TRA-CE.ai | Causal Security Intelligence | tra-ce.ai