The attackers encrypted the ransomware payload, making static analysis difficult - They used legitimate Windows tools to disable security software - The attack timing (Friday afternoon before a holiday weekend) was designed to maximize damage before response teams could mobilize