Mid-Stage Ransomware Protection: Strengthening Security Against Privilege Escalation and Defense Evasion

This blog post is part two of our series on ransomware attacks. If you missed our first post, "Understanding and Preventing Early Stages of Ransomware Attacks", we recommend starting there.

Considering global ransomware damages are projected to reach $265 billion USD annually by 2031 (Cybersecurity Ventures), 62% of surveyed C-suite leadership currently see ransomware as the number one cybersecurity concern (CFO). Prominent incidents, such as the Colonial Pipeline attack, demonstrate the catastrophic consequences these threats can impose, not only costing organizations millions in downtime and recovery but also immobilizing the nations’ critical infrastructure that citizens depend on daily. As adversaries refine their tactics with the use of AI, they increasingly focus on escalating privileges, bypassing defenses, and embedding themselves deeper within networks. To safeguard national security, agencies must deploy integrated solutions capable of preventing, detecting, and responding to these sophisticated mid-stage ransomware attack tactics. 

Stage 5: Privilege Escalation (Day 2-3)

Attackers elevate privileges through exploiting privilege escalation vulnerabilities, dumping credentials, and abusing elevation-control mechanisms like UAC bypass.

• CyberArk PAM/EPM grants elevated rights only under strict, policy-based controls, enforcing least privilege, restricting local admin to just-in-time sessions, and instantly alerting for any unauthorized elevation attempts.
• Qualys identifies access control vulnerabilities susceptible to privilege escalation and automates proactive patching and system hardening before weaknesses are exploited.

For example, in February 2025, threat actors exploited a critical Atlassian Confluence RCE vulnerability (CVE-2023-22527) to escalate from unauthenticated access to SYSTEM privileges, disable endpoint defenses, and deploy LockBit ransomware across the environment.

Stage 6: Defense Evasion (Day 2-4)

Attackers’ defense evasion TTPs include disabling security tools, obfuscating payloads, injecting malicious code, and log deletion.

• CyberArk PAM continuously monitors privileged accounts and sessions, detecting attempts at evasion such unauthorized log deletion.
• CyberArk EPM automatically removes local administrative rights from endpoints so that ransomware actors cannot disable security tools such as EDR.
• Qualys delivers advanced threat detection capabilities, analyzing behavior patterns to uncover obfuscation and code injection risks.

Stage 7: Credential Access (Day 3-5)

Attackers expand control by harvesting credentials using credential dumping, keylogging, brute forcing, and password spraying techniques.

• CyberArk eliminates standing local administrator accounts, replaces them with decoy admin credentials injected into Microsoft Local Security Authority Subsystem Service (LSASS), and combines vaulting with live session monitoring, instantly detecting and blocking any attempt to harvest or use credentials.
• Qualys identifies and remediates system vulnerabilities exploitable for credential theft, significantly reducing attackers' avenues for credential harvesting within applications.

Stage 8: Discovery (Day 4-6)

Discovery involves extensive reconnaissance within the compromised environment, including network scanning, system and account discovery, and remote system enumeration.

• Qualys identifies anomalous discovery behaviors rapidly, alerting security teams to malicious internal reconnaissance.
• Qualys continuously monitors assets, detecting unauthorized discovery scans and preventing malicious activities early in the discovery lifecycle.

Addressing mid-stage ransomware attacks requires a multi-layered, comprehensive cybersecurity lifecycle of prevention, detection, and response. With exploited vulnerabilities representing the most common ransomware attack vector, followed by compromised credentials and malicious emails (Sophos), agencies must prioritize vulnerability management, detection, and response and identity security practices. Deploying integrated cybersecurity solutions from CyberArk and Qualys proactively prevents attackers from escalating privileges, evading detection, and enrooting themselves further within compromised environments, significantly reducing overall risk criticality and potential impact.

Continue exploring this blog series by reading our next post, "Advanced Stages of Ransomware: Securing Data and Mitigating Impact" covering stages 9-12 of the ransomware attack timeline, including lateral movement, data collection and exfiltration, and resulting impact(s).