Human-operated ransomware attacks involve the following stages:

1. Initial compromise - The threat actor first gains access to a system or environment following a period of reconnaissance to identify weaknesses in defense.
2. Persistence and defense evasion - The threat actor establishes a foothold in the system or environment using a backdoor or other mechanism that operates in stealth to avoid detection by incident response teams.
3. Lateral movement - The threat actor uses the initial point of entry to migrate to other systems connected to the compromised device or network environment.
4. Credential access - The threat actor uses a fake sign-in page to harvest user or system credentials.
5. Data theft - The threat actor steals financial or other data from compromised users or systems.
6. Impact - The affected user or organization might suffer material or reputational damage.