AV-08 · Ransomware and data extortion operations

Modern ransomware operations start long before encryption. Attackers spend days or weeks gaining access, collecting credentials, disabling defenses, and staging data before triggering the event that gets everyone's attention.

$ action: Harden identity controls and backups, detect pre-encryption staging behaviors, segment critical services, and rehearse your containment and recovery decisions before a crisis forces them.

1. Why Ransomware Remains Effective

Ransomware targets business continuity, not just technical systems. When backups are offline, critical services are encrypted, and exfiltrated data appears on a leak site, organizations face pressure from multiple directions simultaneously. That's the design — not an accident.

Most modern ransomware incidents are not single-event attacks. Credential theft, privilege escalation, lateral movement to backup systems and domain controllers, data staging for exfiltration, and defense tampering all happen before the encryption payload runs. The earliest detection windows are during those pre-impact phases.

Organizations that focus defenses on malware signatures and endpoint detection while neglecting identity controls, segmentation, backup integrity, and logging coverage remain vulnerable even with modern tools deployed.

2. What Ransomware Operators Do Before Impact

Before triggering encryption, operators typically map the environment, escalate privileges, disable or tamper with backups, locate and disable security tools, and spread across admin paths to as many systems as possible. Each of those steps leaves observable evidence if you're collecting the right telemetry.

Watch for: abnormal remote admin activity across many hosts in short timeframes, mass authentication attempts, backup service tampering or deletion, security software being stopped or excluded, unusual staging or compression before data moves outbound.

The mental model matters. Ransomware is a multi-stage operation. Every stage before encryption is a detection opportunity. Teams that wait for an encryption alert are already behind.

3. How Defenders Mitigate and Prepare

Segment critical systems and admin paths. Limit which hosts can reach backup infrastructure and domain controllers. A compromised workstation shouldn't have a direct path to your backup server. Protect backups with immutability where possible, and actually run restore tests — a backup you've never restored is an assumption, not a control.

Build detection coverage specifically for pre-impact behaviors: suspicious auth sequences, lateral movement via admin protocols, security-control tampering, backup config changes, and unusual outbound data transfers. Network and host telemetry together give you the confidence to act before the encryption event.

Practice the response decisions in advance. Who isolates which hosts? Who disables which accounts? Which systems get prioritized for recovery? What do you tell leadership at hour one versus hour four? Incidents are not the time to figure those things out.

detection-signals

$Authentication logs show rapid credential use across many internal hosts — consistent with automated credential spraying or pass-the-hash traversal.
$Remote administration tools, PSExec, or WMI command execution appear on endpoints where those tools are not part of normal operations.
$Backup service logs show configuration changes, deletion attempts, or the backup service process being stopped — without a corresponding change ticket.
$File system telemetry shows mass access, staging into a temporary directory, compression, and then transfer to an external destination in a short window.
$A security tool's service is stopped, exclusion paths are added, or log forwarding drops off — immediately before or during suspicious activity on the same host.

telemetry-sources

$Windows/Linux auth logs, EDR/XDR, and endpoint service/process telemetry.
$Zeek/Suricata/NetFlow for east-west movement and exfiltration patterns.
$Backup platform logs and restore/retention configuration audit logs.
$Firewall/VPN/proxy logs for unusual outbound and admin traffic.
$Ticketing/change records to validate whether high-impact actions were expected.

recommended-tools-and-guides

open Zeek Track east-west traffic and suspicious transfer patterns before impact. open Suricata Detect suspicious protocol behavior and known ransomware-related traffic patterns. open Wazuh Monitor service changes, suspicious process execution, and host-side indicators. open Security Onion Correlate network and host signals during active triage and containment. open /learning/incident-response-playbooks-framework-functions Build and drill response playbooks before a ransomware event occurs.

related-learning-modules

Build fundamentals and workflows that directly support defending against this threat pattern.

open /learning/incident-response-playbooks-framework-functions Incident Response Playbooks Aligned to Recognized Cybersecurity Framework Functions open /learning/post-incident-review-hardening-backlog-detection-coverage-gaps Post-Incident Review, Hardening Backlog, and Detection Coverage Gaps open /learning/linux-windows-logging-basics-for-defenders Linux and Windows Logging Basics for Defenders

related-tool-pages

Use these detailed tool guides to practice safe validation, evidence collection, and triage workflows for this threat.

open /learning/tools/zeek Zeek open /learning/tools/suricata Suricata open /learning/tools/wazuh Wazuh open /learning/tools/security-onion Security Onion

lab-safe-detection-workflows

These commands are for learning, validation, and defensive triage in your own lab or authorized environment. Adapt to your tooling and log locations.

Pre-impact triage workflow (network + host evidence)

zeek -r suspected-spread.pcap local
zeek-cut ts id.orig_h id.resp_h service < conn.log | sort | uniq -c | sort -nr | head -20
journalctl --since "-2h" | grep -Ei "service|backup|stop|disable|auth|sudo" | tail -n 150

$ why: Use combined evidence to detect spread behavior and service tampering before focusing only on payload indicators.

Containment tracking worksheet (operator discipline)

printf "time,host_or_account,signal,containment_action,owner,status\n" > ransomware-containment.csv
printf "system,backup_status,last_restore_test,priority,recovery_owner\n" > recovery-priority.csv

$ why: During high-pressure incidents, clear tracking of containment and recovery priorities reduces confusion and repeated mistakes.

triage-questions

?Is there evidence of pre-impact staging — credential abuse, lateral movement, backup targeting, or outbound data transfer — that predates the most visible event?
?Which systems and accounts need to be isolated first to limit further spread while keeping critical services available?
?Are backups intact, recent, and confirmed restorable for the systems most likely to be impacted?
?What logs and forensic artifacts need to be preserved before broad containment changes overwrite or destroy them?
?What detection gap allowed the operation to progress this far — and what's the fastest way to close it during the active response?

defender-actions.checklist

$Protect and test backups regularly (including real restore exercises).
$Detect and respond to pre-impact behaviors, not only encryption events.
$Restrict admin paths and segment critical systems to limit spread.
$Monitor security-control and backup tampering actions.
$Practice ransomware/extortion response playbooks with technical and leadership teams.

study-workflow

Learn what normal behavior looks like for this area (auth, exposure, config, or internal traffic).
Identify the logs and telemetry that should show the behavior.
Practice one safe validation in a lab or authorized environment.
Write a short playbook for detection, triage, and response.
Review the related tool guides under /learning/tools.

<- previous threat AV-07 · Supply chain and third-party compromise -> next threat AV-09 · DDoS and service exhaustion attacks