Why this step cannot be skipped
The pressure to get back online after a ransomware attack is enormous. Customers are calling. Staff can't work. Revenue is stopped. Restoring from backup feels like the fastest path back to normal — and it's exactly how businesses get reinfected.
If you don't know how the attackers got in, you'll restore your environment with the same vulnerability still in place. The attackers — who may still have valid credentials, an active foothold, or an unpatched exploit — will simply walk back in. Sometimes within hours. Often through the same door.
Identifying the attack vector is the single most important determinant of whether your recovery sticks. Skip it, and you're not recovering — you're scheduling the next attack.
The four most common ransomware entry points
The vast majority of ransomware attacks against small and midsize businesses come through one of four paths. Start your investigation here.
1. Phishing — including business email compromise
Email-based attacks remain the leading initial access vector for ransomware. Look for:
- Suspicious emails received by users in the days before the attack — especially those with attachments or links
- Reports from users about emails that "looked weird" or "wanted me to log in somewhere"
- Unexpected OAuth grants in Microsoft 365 — attackers often phish for OAuth consent rather than passwords
- Mailbox forwarding rules created by users — a classic sign of business email compromise
- Successful logins from unusual countries or IP addresses in Microsoft 365 sign-in logs
If phishing is the suspected vector, treat every account with administrative privileges as potentially compromised — not just the user who clicked.
2. Compromised credentials — VPN, RDP, and remote access
Credentials stolen from infostealer malware, purchased from initial access brokers, or harvested from previous breaches are now the most common ransomware entry method. Look for:
- VPN logins from unusual geographies or IP addresses
- RDP connections from external IP addresses if RDP is exposed to the internet (it should never be)
- Accounts logging in at unusual hours
- Failed login attempts followed by a successful login — the signature of credential stuffing
- Accounts that haven't been used in months suddenly active
3. Unpatched internet-facing systems
Exposed services with known vulnerabilities are constantly scanned by attackers. The most common ransomware entry points in this category:
- VPN appliances (Fortinet, Pulse Secure, Citrix) with unpatched CVEs
- Email servers and Exchange on-premise installations
- Web servers and applications with public-facing admin interfaces
- File-sharing services (FTP, SMB exposed to the internet)
- Misconfigured cloud storage with no authentication required
Audit every internet-facing system for patch status. If an unpatched system was reachable during the attack window, treat it as the suspected entry point until you can rule it out.
4. Compromised vendor or supply chain
Third-party access is an increasingly common ransomware vector. Your IT provider, software vendor, or managed service provider may have been compromised, with attackers using their access to reach you. Look for:
- Activity from your IT vendor's accounts or remote access tools outside of scheduled maintenance windows
- Recent updates or installations from software vendors immediately before the incident
- Remote support tools (LogMeIn, ConnectWise Control, TeamViewer) showing connections you didn't authorize
- API integrations or service accounts behaving unexpectedly
If you suspect supply chain compromise, contact the vendor in writing — do not assume their support channels are safe to use during their own incident.
Build a timeline from the logs
Working backward from the moment you discovered the encryption, build a timeline using the logs you preserved in Step 3:
- When did the encryption start? (file modification timestamps)
- What account performed the encryption? (file system audit logs, process creation events)
- When did that account first log in? (authentication logs)
- From what source did it first log in? (VPN logs, sign-in logs)
- What did that account do between initial access and encryption? (this is the dwell time — often days or weeks)
The point of entry is the earliest unauthorized event in this timeline. Sometimes it's obvious — a phishing email opened three days before encryption. Sometimes it requires deep forensic analysis to find. Either way, you cannot close the door until you know which door it was.
Assume attacker persistence until proven otherwise
Sophisticated attackers don't enter your environment, deploy ransomware, and leave. They establish persistence — multiple ways back in — before triggering the visible attack. This means:
- New user accounts created with administrative privileges
- Service accounts modified with new passwords
- Scheduled tasks or services configured to run attacker tooling
- Backdoors installed on systems that don't show signs of encryption
- Group Policy Objects modified to deploy malware on reconnection
Restoring without addressing persistence gives the attacker a hostage situation. They watch you rebuild, then encrypt again. Always assume persistence exists and hunt for it before you reconnect.
- Investigate phishing emails received in the days leading up to the incident
- Review VPN, RDP, and remote access logs for unusual logins
- Audit internet-facing systems for unpatched vulnerabilities
- Check third-party vendor access for any activity outside normal patterns
- Build a timeline working backward from encryption to initial access
- Identify the dwell time — how long the attacker was inside before triggering encryption
- Hunt for persistence: new accounts, modified service accounts, scheduled tasks, GPO changes
- Do not reconnect any restored systems until the entry point is confirmed closed
What's next: Step 5: Notify Stakeholders
Once you've completed this step, the next priority is notifying stakeholders — who to call, in what order, and on what channels. That's covered in Step 5 of this guide.