Ransomware rarely starts with encryption. This session follows a ransomware attack from initial probing and phishing through compromise, lateral movement, and the ransom trigger using real-world attack patterns drawn from years of incident response experience. We then rewind the incident to examine the controls, detections, and response actions that could have interrupted the attack earlier, while also covering strategies to minimize damage and accelerate recovery.