Ransomware Detection Guide — Stop Attacks Before Encryption
Ransomware is not an instantaneous event. From initial access to the moment files begin encrypting, attackers spend an average of 4–10 days moving through your environment. That window is your opportunity to detect and stop the attack before any data is locked or exfiltrated.
The key insight that changes everything about ransomware defense: encryption is the last step, not the first. By the time vssadmin delete shadows runs, attackers have already completed reconnaissance, harvested credentials, moved laterally, and staged the payload. Every one of those steps leaves behavioral traces that AI-powered detection can identify.
The 5 Pre-Encryption Stages of a Ransomware Attack
Understanding the ransomware kill chain is the foundation of pre-encryption detection. Modern ransomware groups — RansomHub, LockBit 4.0, BlackCat, Cl0p — all follow a recognizable operational pattern before detonating their payload.
Stage 1: Initial Access and Reconnaissance
Attackers gain entry through phishing, VPN credential stuffing, RDP brute force, or exploiting public-facing applications. Once inside, they immediately begin reconnaissance: enumerating domain controllers, identifying backup systems, mapping network shares, and discovering high-value data stores. MITRE ATT&CK technique T1083 (File and Directory Discovery) and T1135 (Network Share Discovery) are consistently observed in this phase.
Detection signals include: port scanning from internal workstations, unusual LDAP queries, enumeration of Active Directory objects, and access to file shares the account has never touched before.
Stage 2: Credential Harvesting
Attackers need domain administrator or backup operator privileges to execute ransomware at scale. This phase involves dumping credentials from LSASS memory (T1003 — OS Credential Dumping), harvesting Kerberos tickets (Pass-the-Ticket, T1550.003), or abusing Active Directory with DCSync attacks (T1003.006). Cloud environments see similar patterns: unusual API calls to IAM services, downloading SSH keys, or accessing AWS Secrets Manager.
LSASS access from non-system processes and DCSync replication requests from non-DC accounts are near-certain indicators of credential harvesting. These should trigger immediate high-priority investigation — not just alerting.
Stage 3: Lateral Movement
With elevated credentials, attackers spread to additional systems — particularly domain controllers, backup servers, and file servers. Common techniques include PsExec remote execution (T1569.002), Windows Management Instrumentation (T1047), and remote service creation. In cloud environments, lateral movement manifests as cross-account access and EC2 instance role assumption chains.
Behavioral detection looks for: accounts logging into systems they have never accessed, remote service installations, WMI process executions across multiple endpoints in a short time window, and admin share access patterns that deviate from baseline.
Stage 4: Staging and Exfiltration
Modern ransomware groups operate double-extortion: they exfiltrate data before encrypting it, giving them a second lever (publish the data if ransom isn't paid). This stage involves compressing files with tools like 7-Zip or WinRAR, uploading to cloud storage or file-sharing services, and staging the ransomware binary on accessible shares. T1041 (Exfiltration Over C2 Channel) and T1567 (Exfiltration Over Web Service) are key techniques here.
Stage 5: Pre-Encryption Preparation
In the final minutes before encryption, attackers execute a recognizable sequence: delete Volume Shadow Copies to prevent recovery (T1490 — Inhibit System Recovery), disable backup agents, stop security services, and deploy the ransomware payload to all compromised systems simultaneously. The vssadmin delete shadows /all /quiet command is one of the highest-fidelity ransomware precursor signals in existence.
Behavioral Indicators of Ransomware Activity
The following behavioral indicators — when detected in combination — constitute strong evidence of an active ransomware campaign. No single indicator is conclusive; the power is in correlation across signals.
| Indicator | MITRE Technique | Risk Level |
|---|---|---|
| Shadow copy deletion (vssadmin/wmic) | T1490 | CRITICAL |
| LSASS memory access from non-system process | T1003.001 | CRITICAL |
| DCSync replication from non-DC account | T1003.006 | CRITICAL |
| Mass file reads across network shares | T1083 | HIGH |
| PsExec / remote service installation | T1569.002 | HIGH |
| Outbound traffic to newly registered domain | T1041 | HIGH |
| Security service / backup agent stopped | T1562.001 | HIGH |
| Large archive creation (7z/RAR/ZIP) | T1560 | MEDIUM |
| Unusual off-hours domain admin activity | T1078 | MEDIUM |
MITRE ATT&CK Ransomware Techniques Deep Dive
T1486 — Data Encrypted for Impact
This is the encryption step itself — the technique most people associate with ransomware. Detecting T1486 directly means the attack has already succeeded. The goal of pre-encryption detection is to catch the precursor techniques (T1490, T1003, T1083) before T1486 executes. However, monitoring for unusual file extension changes and rapid file modification patterns can catch encryption in the earliest seconds if other detection layers fail.
T1490 — Inhibit System Recovery
Deleting shadow copies and disabling backup software is a near-universal step in ransomware attacks. The command vssadmin delete shadows /all /quiet run by any non-backup process should be treated as a ransomware incident in progress. Similarly, wbadmin delete catalog, bcdedit /set {default} recoveryenabled No, and disabling Windows Backup services are all high-fidelity indicators.
T1083 — File and Directory Discovery
Before encrypting, ransomware operators need to know what to encrypt. Mass enumeration of file systems — particularly network shares, backup drives, and document libraries — is a consistent pre-encryption behavior. AI detection identifies accounts that access an abnormally high number of files (e.g., 10,000+ files in 30 minutes) compared to their historical baseline.
Detection Tools Comparison
| Detection Approach | Pre-Encryption Detection | False Positive Rate | Investigation Speed |
|---|---|---|---|
| AI SOC Platform (behavioral) | Stages 1–4 | Low (AI-correlated) | Seconds (automated) |
| EDR (endpoint behavioral) | Stage 5 (late) | Medium | Minutes (analyst) |
| Traditional SIEM + rules | Stage 5 (late) | High (noisy) | Hours (analyst) |
| Signature-based AV/EPP | Stage 5 or after | Low (but misses novel) | Instant |
| Network monitoring (NDR) | Stage 3–4 (C2/exfil) | Medium | Minutes (analyst) |
Ransomware Response Playbook
When behavioral analytics fires on ransomware precursor signals, the response playbook should execute within minutes, not hours.
Immediate Containment (0–15 minutes)
- Isolate the affected endpoint(s) from the network — disable network adapters or quarantine via EDR
- Disable the compromised user account(s) in Active Directory and cloud identity providers
- Revoke active sessions and invalidate Kerberos tickets (krbtgt password reset if DCSync detected)
- Snapshot or preserve impacted systems before forensic investigation
- Notify the incident response team and begin chain of custody documentation
Investigation (15–60 minutes)
- Identify the initial access vector — review VPN logs, email gateway, and external-facing application logs
- Map all systems the compromised account touched during the attack window
- Determine if data exfiltration occurred before containment — review DNS logs, proxy logs, and DLP alerts
- Identify whether domain administrator credentials were compromised
Recovery and Hardening
- Restore from verified clean backups (confirm backups were not accessed during the attack)
- Reset all privileged account credentials across all systems
- Implement network segmentation to prevent future lateral movement
- Deploy privileged access workstations (PAWs) for administrative tasks
- Enable MFA on all administrative and VPN access
ZonForge Sentinel automatically correlates ransomware precursor signals across cloud, identity, and endpoint data. When LSASS credential dumping, lateral movement, and shadow copy deletion signals appear within the same attack timeline, ZonForge generates a complete investigation report — including affected systems, timeline reconstruction, and recommended containment actions — in under 60 seconds.
Building a Proactive Ransomware Defense Program
Detection is only one layer of an effective ransomware defense. A complete program includes prevention, detection, and response capabilities working together.
Prevention fundamentals: privileged access management (PAM), MFA everywhere, phishing-resistant authentication, network segmentation, timely patching of VPN and remote access systems, and regular backup testing (including testing restoration from air-gapped backups).
Detection capabilities: behavioral analytics covering endpoint, identity, network, and cloud data sources; correlation of ransomware-specific MITRE ATT&CK techniques; and automated investigation that fires on precursor signals — not just the encryption event itself.
Response readiness: documented playbooks, pre-authorized containment actions, and tabletop exercises that simulate ransomware scenarios at least quarterly.
Frequently Asked Questions
Stop Ransomware Before Encryption Starts
See ZonForge Sentinel detect ransomware precursor behaviors in your environment — live, not in a sandbox.