09.10.2025
18 min
942
This article explains how to detect early signs of an attack and stop ransomware before it even gets going. It shows typical attackers’ actions at the beginning of an attack, discusses common security mistakes, and highlights which security steps can actually help prevent an incident. You’ll learn why rapid response and proper tool configuration are key to fighting ransomware.
In recent years, cyber security experts have increasingly encountered situations where attackers are already preparing to launch ransomware, but the encryption phase has not yet arrived. It is this intermediate period that becomes crucial in order to stop the attack in time and prevent it from turning into a large-scale incident.
Practice shows that two factors play a key role in containing the threat — the rapid connection of the response team and the prompt processing of security system notifications, preferably within the first two hours. It is the speed of action that allows you to break the chain of attack before the encryption is launched.
Experience also shows that in the initial stages, attackers usually use similar techniques and leave characteristic signs of preparation. Identifying such indicators helps to understand what activity most often precedes the more serious phase of attacks. It is possible to separately highlight typical errors in protection — the very weaknesses that allow the enemy to advance further.
The combination of these observations allows us to formulate practical advice that helps strengthen companies’ defenses and stop attacks at the very beginning, even before encryption is activated.
Incident response experts associate certain actions by an attacker with activity that typically precedes the encryption. When attackers attempt to gain domain administrator-level access, they often go through a sequence of account changes, privilege escalations, deployment of command-and-control tools or other remote access tools, and credential harvesting or automation to make changes to the system. While the specific tools or chains of actions may vary by group, these are the steps that experts have observed for years. The combination of these actions, along with indicators of compromise and the typical tactics and methods inherent in the encryption operations of the encryption operators before the actual encryption begins, allows us to classify an incident as pre-attack.
At the same time, some of these techniques are often used by primary access brokers who gain control of systems in order to sell them to other attackers. Because of this, a certain part of such incidents could be associated with IAB, and not with the operators of the encryption programs. However, even when the ultimate goal of the attacker is difficult to establish, experts note with high confidence: the tactics regularly recorded at these stages almost always precede the deployment of ransomware. And if the actions really belonged to IAB, practice shows that such campaigns very often end with further encryption attacks after the sale of access, which makes such activity equally important for analysis.
Incident response specialists analyzed cases over the past two and a half years that were classified as attacks preceding the launch of ransomware. The goal was to determine which actions and defenses were crucial in stopping the attack chain before the encryption stage. An overview of the results is presented in the corresponding diagram, followed by a more detailed analysis of each category to show how individual steps helped to disrupt the attackers’ plans.
Promptly connecting specialists within a day or two of the first signs of malicious activity (ideally immediately) is often key to stopping an attack before it even gets to the encryption stage. To illustrate why this works, it’s worth considering the main benefits of early response:
First of all, we are talking about the following critical factors:
Deep understanding of current threats. Analysts can match tactics and indicators seen in an incident to known attack patterns, determining whether it is part of a broader campaign.
Operational containment recommendations. In many cases, organizations that acted quickly were able to avoid serious consequences and disrupt the attackers’ preparatory actions.
Enhanced post-containment monitoring. Additional event analysis tools help ensure that the threat is fully contained and cannot return.
This approach not only stops the attack from progressing, but also allows you to respond to it at a stage when the attacker does not yet have a sufficient presence on the network.
However, there have been situations where the delay in responding has given attackers the opportunity to continue moving in the attack chain – to steal data, disable protection or run an encryptor. Such cases often ended with corrupted backups, EDR shutdowns and serious disruptions to the company.
Timely monitoring of security systems and event logs allows specialists to react immediately after the first signs of danger appear, isolate the attacker’s activity and prevent him from advancing further in his attack. In many cases, the actions of the security team within two hours of receiving a notification from EDR or managed detection and response services have successfully contained the development of the incident.
To understand how such signals help to intercept the threat in time, it is worth paying attention to the most typical warning indicators that are often recorded at the early stages:
Attempts to access blocked domains.
Brute force attacks.
PowerShell loading or running.
Anomalies in normal system or user behavior.
Creating new accounts with domain administrator privileges.
Connecting to unknown public IP addresses.
Exploratory commands, including shell access and whoami-like commands.
Modifying MFA settings to create bypass tokens.
Changes to accounts to bypass MFA requirements.
Such indicators often serve as an early signal of the development of malicious activity and provide an opportunity to stop the attack before it reaches a critical phase.
In nearly 15 percent of cases, targeted organizations were able to stay ahead of the threat in their environment thanks to alerts from U.S. Government (USG) partners and their managed service provider (MSP) representatives about the potential deployment of ransomware in their environment. In particular, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has launched an early warning initiative for potential ransomware attacks, which aims to help organizations identify threats and evict actors before significant damage is done. CISA’s intelligence comes primarily from their partnerships with the cybersecurity research community, infrastructure vendors, and cyber threat intelligence companies.
У частині випадків інцидентів саме системи захисту відігравали ключову роль, автоматично блокуючи або відправляючи в карантин шкідливі виконувані файли. Це одразу переривало ланцюг атаки й не дозволяло зловмисникам просуватися далі.
To understand why this behavior of systems is so critical, it is worth paying attention to what often happens in less secure environments:
Endpoint protection works only in notification mode. The product reports the threat, but does not block it.
Passive configurations allow malware to run. In such conditions, attackers can activate their tools, including encryptors, without hindrance.
A more aggressive mode significantly reduces the risks. When the security solution is configured to automatically block, it is able to stop the attack at the initial stage.
Practice shows that active blocking policies significantly complicate the movement of attackers in the network and often become a decisive factor that prevents the attack from moving to the encryption phase.
According to the analysis, strict access restrictions in many organizations were a decisive factor in preventing the development of an attack in nine percent of cases. In one incident, attackers managed to compromise a work account, but properly configured access rights did not allow them to break through to critical systems, including domain controllers, effectively stopping the further movement of the attack chain.
The presence of extensive logging and a system for centralized event collection also proved to be important. Organizations that had these tools could provide enough data to accurately reproduce the sequence of actions of the attacker and identify areas where additional protection mechanisms were needed. In environments where logging is absent or partially implemented, it is much more difficult to identify the weaknesses that allowed the threat to gain a foothold.
After comparing the tactics, techniques, and procedures observed in this study with the MITRE ATT&CK framework, it was determined that the variants presented in Figure 2 were the ones that occurred most frequently during incidents.
When analyzing the most common attack techniques, several areas were identified that attackers use most often. Remote services play a significant role, in particular RDP, PsExec, and PowerShell, which are regularly used to access and move within the network. Also noticeably widespread is the use of popular remote access tools such as AnyDesk, Atera, Microsoft Quick Assist, and Splashtop, which attackers use to establish themselves in the environment.
A separate category is made up of techniques related to obtaining operating system credentials. The most common actions are aimed at accessing the domain controller registry, SAM and NTDS.DIT files, as well as the LSASS process or utilities such as AD Explorer. Password stealing tools, in particular Mimikatz, remain among the most used.
Another common element is reconnaissance of network services using commands and utilities such as netscan, nltest, and netview, which allow you to identify available resources and the environment for further advancing the attack.
These widespread techniques serve as an important signal to security teams: this activity often precedes more serious attack phases. Strengthening controls over the use of remote services, securing remote access tools, and securing credential vaults can significantly limit the capabilities of most criminals before they even switch to encryption.
Incident response professionals formulate recommendations for organizations after a detailed analysis of the environment and the attacker’s actions to help address vulnerabilities that could have facilitated an attack. Such advice often covers several key areas:
Update all operating systems and software to the latest version.
Store backups offline.
Configure security solutions to only allow the launch of trusted, secure applications and prevent the installation of unexpected software.
Require multi-factor authentication (MFA) for all critical services, including remote access and identity access management (IAM) services, and monitor MFA abuse.
Deploy Sysmon for improved endpoint visibility and logging.
Implement meaningful firewall rules for both inbound and outbound traffic to block unwanted protocols that attackers might use as part of their command-and-control and data-collection or data-extraction activities.
Implement robust network segmentation to minimize horizontal movement and reduce the attack surface by ensuring that valuable assets such as domain controllers are not directly connected to the Internet except for critical functions.
Implement or enhance cybersecurity training for end users on social engineering tactics, including coverage of recently popular attacks such as multi-factor exhaustion attacks and man-in-the-middle token phishing attacks.
