Ransomware Detection Guide — Stop Attacks Before Encryption
Ransomware attacks are detectable 4–10 days before encryption begins, during a pre-encryption phase that includes credential theft, lateral movement, and shadow-copy deletion. This guide breaks down the five-stage ransomware kill chain, the highest-fidelity behavioral indicators at each stage, and the automated response playbook security teams need to stop attacks before any data is locked.
- Encryption is the last step of a ransomware attack, not the first — attackers spend days inside your environment first.
- Shadow-copy deletion, LSASS access, and DCSync requests are near-certain precursor signals that should trigger immediate investigation.
- Behavioral, AI-correlated detection catches ransomware in stages 1–4; signature-based tools typically only catch it at stage 5 or later.
- A documented containment playbook should isolate affected systems and disable compromised accounts within 15 minutes of detection.
Ransomware is not an instantaneous event. From initial access to the moment files begin encrypting, attackers spend an average of 4–10 days moving through your environment. That window is your opportunity to detect and stop the attack before any data is locked or exfiltrated.
The key insight that changes everything about ransomware defense: encryption is the last step, not the first. By the time vssadmin delete shadows runs, attackers have already completed reconnaissance, harvested credentials, moved laterally, and staged the payload. Every one of those steps leaves behavioral traces that AI-powered detection can identify.
Background: How Ransomware Became a Pre-Encryption Detection Problem
Ransomware has evolved from opportunistic, single-extortion malware — like the 2017 WannaCry and NotPetya worms, which encrypted indiscriminately within minutes of execution — into a structured criminal business model. Since 2020, the dominant model has been Ransomware-as-a-Service (RaaS): groups like LockBit, BlackCat/ALPHV, and Cl0p license their encryption payloads and negotiation infrastructure to "affiliates" who handle initial access and lateral movement themselves. That division of labor stretched out the attack timeline, because affiliates now spend days establishing footholds and harvesting credentials before ever deploying the encryptor, in order to maximize blast radius and the leverage of double extortion (steal data, then encrypt). That longer dwell time is exactly what makes pre-encryption detection both possible and necessary — by the time the encryption payload runs, response options have narrowed from prevention to recovery.
The 5 Pre-Encryption Stages of a Ransomware Attack
Understanding the ransomware kill chain is the foundation of pre-encryption detection. Modern ransomware groups — RansomHub, LockBit 4.0, BlackCat, Cl0p — all follow a recognizable operational pattern before detonating their payload.
Stage 1: Initial Access and Reconnaissance
Attackers gain entry through phishing, VPN credential stuffing, RDP brute force, or exploiting public-facing applications. Once inside, they immediately begin reconnaissance: enumerating domain controllers, identifying backup systems, mapping network shares, and discovering high-value data stores. MITRE ATT&CK technique T1083 (File and Directory Discovery) and T1135 (Network Share Discovery) are consistently observed in this phase.
Detection signals include: port scanning from internal workstations, unusual LDAP queries, enumeration of Active Directory objects, and access to file shares the account has never touched before.
Stage 2: Credential Harvesting
Attackers need domain administrator or backup operator privileges to execute ransomware at scale. This phase involves dumping credentials from LSASS memory (T1003 — OS Credential Dumping), harvesting Kerberos tickets (Pass-the-Ticket, T1550.003), or abusing Active Directory with DCSync attacks (T1003.006). Cloud environments see similar patterns: unusual API calls to IAM services, downloading SSH keys, or accessing AWS Secrets Manager.
LSASS access from non-system processes and DCSync replication requests from non-DC accounts are near-certain indicators of credential harvesting. These should trigger immediate high-priority investigation — not just alerting.
Stage 3: Lateral Movement
With elevated credentials, attackers spread to additional systems — particularly domain controllers, backup servers, and file servers. Common techniques include PsExec remote execution (T1569.002), Windows Management Instrumentation (T1047), and remote service creation. In cloud environments, lateral movement manifests as cross-account access and EC2 instance role assumption chains.
Behavioral detection looks for: accounts logging into systems they have never accessed, remote service installations, WMI process executions across multiple endpoints in a short time window, and admin share access patterns that deviate from baseline.
Stage 4: Staging and Exfiltration
Modern ransomware groups operate double-extortion: they exfiltrate data before encrypting it, giving them a second lever (publish the data if ransom isn't paid). This stage involves compressing files with tools like 7-Zip or WinRAR, uploading to cloud storage or file-sharing services, and staging the ransomware binary on accessible shares. T1041 (Exfiltration Over C2 Channel) and T1567 (Exfiltration Over Web Service) are key techniques here.
Stage 5: Pre-Encryption Preparation
In the final minutes before encryption, attackers execute a recognizable sequence: delete Volume Shadow Copies to prevent recovery (T1490 — Inhibit System Recovery), disable backup agents, stop security services, and deploy the ransomware payload to all compromised systems simultaneously. The vssadmin delete shadows /all /quiet command is one of the highest-fidelity ransomware precursor signals in existence.
Case study scenario: A 60-person manufacturing company is breached via a brute-forced RDP endpoint on a Friday evening. Over the next 3 days, the affiliate group dumps LSASS credentials from a domain-joined workstation, uses the harvested admin credentials to move laterally to the backup server via PsExec, and stages 40 GB of financial and engineering files for exfiltration to a cloud storage bucket. Early Monday morning, a vssadmin delete shadows /all /quiet command runs on the backup server from an account that has never executed it before. Behavioral detection correlates the LSASS access, the off-hours PsExec lateral movement, and the shadow-copy deletion into a single high-confidence ransomware-in-progress alert, triggering automatic network isolation of the backup server roughly 6 hours before the encryption payload was scheduled to detonate.
Behavioral Indicators of Ransomware Activity
The following behavioral indicators — when detected in combination — constitute strong evidence of an active ransomware campaign. No single indicator is conclusive; the power is in correlation across signals.
| Indicator | MITRE Technique | Risk Level |
|---|---|---|
| Shadow copy deletion (vssadmin/wmic) | T1490 | CRITICAL |
| LSASS memory access from non-system process | T1003.001 | CRITICAL |
| DCSync replication from non-DC account | T1003.006 | CRITICAL |
| Mass file reads across network shares | T1083 | HIGH |
| PsExec / remote service installation | T1569.002 | HIGH |
| Outbound traffic to newly registered domain | T1041 | HIGH |
| Security service / backup agent stopped | T1562.001 | HIGH |
| Large archive creation (7z/RAR/ZIP) | T1560 | MEDIUM |
| Unusual off-hours domain admin activity | T1078 | MEDIUM |
MITRE ATT&CK Ransomware Techniques Deep Dive
T1486 — Data Encrypted for Impact
This is the encryption step itself — the technique most people associate with ransomware. Detecting T1486 directly means the attack has already succeeded. The goal of pre-encryption detection is to catch the precursor techniques (T1490, T1003, T1083) before T1486 executes. However, monitoring for unusual file extension changes and rapid file modification patterns can catch encryption in the earliest seconds if other detection layers fail.
T1490 — Inhibit System Recovery
Deleting shadow copies and disabling backup software is a near-universal step in ransomware attacks. The command vssadmin delete shadows /all /quiet run by any non-backup process should be treated as a ransomware incident in progress. Similarly, wbadmin delete catalog, bcdedit /set {default} recoveryenabled No, and disabling Windows Backup services are all high-fidelity indicators.
T1083 — File and Directory Discovery
Before encrypting, ransomware operators need to know what to encrypt. Mass enumeration of file systems — particularly network shares, backup drives, and document libraries — is a consistent pre-encryption behavior. AI detection identifies accounts that access an abnormally high number of files (e.g., 10,000+ files in 30 minutes) compared to their historical baseline.
Detection Tools Comparison
| Detection Approach | Pre-Encryption Detection | False Positive Rate | Investigation Speed |
|---|---|---|---|
| AI SOC Platform (behavioral) | Stages 1–4 | Low (AI-correlated) | Seconds (automated) |
| EDR (endpoint behavioral) | Stage 5 (late) | Medium | Minutes (analyst) |
| Traditional SIEM + rules | Stage 5 (late) | High (noisy) | Hours (analyst) |
| Signature-based AV/EPP | Stage 5 or after | Low (but misses novel) | Instant |
| Network monitoring (NDR) | Stage 3–4 (C2/exfil) | Medium | Minutes (analyst) |
Ransomware Response Playbook
When behavioral analytics fires on ransomware precursor signals, the response playbook should execute within minutes, not hours.
Immediate Containment (0–15 minutes)
- Isolate the affected endpoint(s) from the network — disable network adapters or quarantine via EDR
- Disable the compromised user account(s) in Active Directory and cloud identity providers
- Revoke active sessions and invalidate Kerberos tickets (krbtgt password reset if DCSync detected)
- Snapshot or preserve impacted systems before forensic investigation
- Notify the incident response team and begin chain of custody documentation
Investigation (15–60 minutes)
- Identify the initial access vector — review VPN logs, email gateway, and external-facing application logs
- Map all systems the compromised account touched during the attack window
- Determine if data exfiltration occurred before containment — review DNS logs, proxy logs, and DLP alerts
- Identify whether domain administrator credentials were compromised
Recovery and Hardening
- Restore from verified clean backups (confirm backups were not accessed during the attack)
- Reset all privileged account credentials across all systems
- Implement network segmentation to prevent future lateral movement
- Deploy privileged access workstations (PAWs) for administrative tasks
- Enable MFA on all administrative and VPN access
ZonForge Sentinel automatically correlates ransomware precursor signals across cloud, identity, and endpoint data. When LSASS credential dumping, lateral movement, and shadow copy deletion signals appear within the same attack timeline, ZonForge generates a complete investigation report — including affected systems, timeline reconstruction, and recommended containment actions — in under 60 seconds.
Building a Proactive Ransomware Defense Program
Detection is only one layer of an effective ransomware defense. A complete program includes prevention, detection, and response capabilities working together.
Prevention fundamentals: privileged access management (PAM), MFA everywhere, phishing-resistant authentication, network segmentation, timely patching of VPN and remote access systems, and regular backup testing (including testing restoration from air-gapped backups).
Detection capabilities: behavioral analytics covering endpoint, identity, network, and cloud data sources; correlation of ransomware-specific MITRE ATT&CK techniques; and automated investigation that fires on precursor signals — not just the encryption event itself.
Response readiness: documented playbooks, pre-authorized containment actions, and tabletop exercises that simulate ransomware scenarios at least quarterly. Many of the same behavioral signals used for ransomware detection — credential abuse, lateral movement, anomalous data access — overlap heavily with insider threat detection and supply chain attack indicators, so a unified behavioral analytics layer covers all three simultaneously rather than requiring separate tooling.
- Behavioral detection covers identity, endpoint, network, and cloud data sources — not just one layer
- Alerts fire on T1490 (shadow copy deletion) and T1003 (credential dumping) at critical severity, not buried in a queue
- A documented containment playbook can isolate a host and disable an account within 15 minutes
- Backups are tested quarterly for restore integrity, including air-gapped or immutable copies
- MFA is enforced on 100% of administrative, VPN, and remote access accounts
- Tabletop exercises simulate a ransomware scenario at least once per quarter
Frequently Asked Questions
Stop Ransomware Before Encryption Starts
See ZonForge Sentinel detect ransomware precursor behaviors in your environment — live, not in a sandbox.