Sign In
Decoding the Ransomware Lifecycle: Detecting Early Signals in East-West Traffic
Back to top
January 20, 2026
Decoding the Ransomware Lifecycle: Detecting Early Signals in East-West Traffic
The Escalating Impact of Ransomware
Ransomware poses a massive threat to organizational stability. Data from our Global Threat Landscape Report shows that organizations contend with an average of 5-6 ransomware incidents each year. With costs often exceeding $3.6 million per incident and average downtime surpassing 37 hours, attacks drain budget, disrupting operations, eroding customer trust, and creating cascading effects across supply chains and critical services.
The widespread impact is particularly evident in high-value sectors like healthcare, where sensitive data makes organizations prime targets. Consider the 2025 Episource incident, which exposed the personal health information of 5.4 million people, including names, social security numbers, and insurance details.
Global supply chains face a comparable threat as exemplified by the Jaguar Land Rover ransomware attack where manufacturing production was halted for five weeks, creating a logistical bottleneck that rippled through the global dealership network for months.
In both cases, attackers employed "living-off-the-land" tactics by using legitimate native services like PowerShell and remote management tools. By blending into routine operations to move laterally, threat actors proved that it is now easier than ever to conduct an attack without being detected.
The Power of the Network to Uncover Ransomware
Ransomware campaigns in 2026 are expected to become increasingly targeted and strategic, focused on high-value, systemically fragile organizations, and timed to maximize financial impact.
To execute this strategy at scale, attackers are relying on a repeatable playbook, stealing credentials and living-off-the land to move laterally across the connected network and evading detection completely. Network visibility and telemetry provides the ground truth that traditional tools, like endpoints, can’t capture. By monitoring east-west network traffic, teams can uncover early indicators of compromise, such as Kerberoasting and anomalous reconnaissance – before a ransomware payload is deployed.
Learn about how ExtraHop detects complex threats, including ransomware, in the video below, and then explore our latest findings in the ExtraHop Global Threat Landscape Report.
Discover more
ExtraHop is on a mission to arm security teams to confront active threats and stop breaches. Our RevealX™ 360 platform, powered by cloud-scale AI, covertly decrypts and analyzes all cloud and network traffic in real time to eliminate blind spots and detect threats that other tools miss. Sophisticated machine learning models are applied to petabytes of telemetry collected continuously, helping ExtraHop customers to identify suspicious behavior and secure over 15 million IT assets, 2 million POS systems, and 50 million patient records. ExtraHop is a market share leader in network detection and response with 30 recent industry awards including Forbes AI 50, Cybercrime Ransomware 25, and SC Media Security Innovator.
Learn more at our About Us page.
Share
