You cannot safely restore until you know how they got in

Why this step cannot be skipped

We've seen businesses restore from backup within hours of a ransomware attack — and get reinfected within days, sometimes within hours. The attacker's access to the environment wasn't closed. Their persistence mechanisms were still in place. The ransomware was still present on systems that weren't visibly encrypted. Restoring into a compromised environment is restoring into a trap.

Identifying the attack vector is not a post-incident exercise. It is a prerequisite for safe recovery.

The most common ransomware entry points

Phishing emails

Phishing remains the leading initial access vector for ransomware attacks — accounting for more than 40% of incidents in most industry analyses. Attackers send emails with malicious attachments (macros in Word or Excel documents, PDFs with embedded links) or links to credential-harvesting pages. Once credentials are captured or malware is executed, the attacker has their foothold.

To investigate: Review email gateway logs and Microsoft 365 email traces for suspicious inbound emails in the days before the attack. Look for emails with attachments or links that were opened by users whose machines were first affected.

Exposed remote access

Remote Desktop Protocol (RDP) exposed to the internet is one of the highest-risk configurations in any business environment. Attackers continuously scan the internet for open RDP ports and use credential stuffing, brute force, and purchased credential lists to gain access. Once in via RDP, they have direct interactive access to your network.

To investigate: Review firewall logs for RDP (port 3389) inbound connections. Check Windows Security Event Log for authentication events — look for large numbers of failed logins followed by a successful login from an unusual IP address or country.

Compromised credentials

Attackers purchase or obtain credentials from data breaches, phishing campaigns, or infostealer malware and use them to authenticate to VPNs, Microsoft 365, remote access tools, or internal systems. This attack vector is particularly hard to detect because the attacker appears to be a legitimate user.

To investigate: Review authentication logs for logins from unusual geographic locations, unusual times, or impossible travel events (logging in from New York and then London within an hour). Check for new devices appearing in Microsoft 365 and VPN logs.

Unpatched vulnerabilities

Attackers exploit known vulnerabilities in internet-facing systems — VPN appliances, firewalls, web applications, and server software — to gain initial access. Many major ransomware campaigns have been traced to exploitation of specific CVEs (Common Vulnerabilities and Exposures) that were publicly known and had available patches.

To investigate: Identify all internet-facing systems and review their patch status. Compare against recently published CVEs for those products. Check system logs for exploitation attempts.

Supply chain and third-party access

Attackers may compromise a trusted vendor, software provider, or MSP and use that trusted access to reach your environment. This vector is harder to detect and increasingly common in targeted attacks.

Closing the vector before restoring

Once the attack vector is identified, it must be completely closed before any restoration begins. This means: revoking compromised credentials, patching the exploited vulnerability, removing the attacker's persistence mechanisms (scheduled tasks, new user accounts, backdoors), and confirming the environment is clean.

This work requires forensic expertise. If you don't have an incident response team, engage one before you attempt restoration. Moore Technology Consulting provides ransomware recovery services — call us at (646) 791-2137.