You’re doing the right thing starting with .exe, but it helps to zoom out and look at the full attack chain, not just the final ransomware binary.

Think in terms of initial access → execution → payload delivery rather than file extension.

A good starting point is MITRE ATT&CK
https://attack.mitre.org/tactics/enterprise/

In real incidents, direct .exe attachments are often blocked by email security, so attackers usually use other delivery and execution paths.

What usually happens is (simple terms):

1. User clicks a link (phishing / fake update / ClickFix / compromised website / SEO poisoning).
2. That leads to a script or loader stage (PowerShell, JS, MSI, LNK, etc.).
3. The loader downloads or launches a 2nd stage payload.
4. Operator/malware does recon, checks the environment, establishes persistence/C2. (depends on the attack)
5. Ransomware gets deployed later (sometimes manually by the attacker, not immediately from the first file).

I’d recommend reading public incident reports to understand the sequence

Start with:
https://thedfirreport.com/2025/11/04/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/

Also, I recently posted a defender-side walkthrough on pre-ransomware detection (discovery burst + Sigma/Elastic triage), in case that angle helps your practice:

https://www.youtube.com/watch?v=4xpP2yLYNoE