Executive reality: why this becomes expensive

Modern ransomware is typically intrusion + data theft + extortion + encryption. Even if you restore systems, data exposure risk may remain, and attackers may retain access if the entry path is not closed. The cost often comes from downtime, investigation scope, legal/insurance workflows, and trust repair.

Defender reality: what wins incidents

Fast containment of identity and remote access, disciplined evidence preservation, and a timeline built from identity + endpoint + network telemetry. The earlier you disrupt privilege escalation and lateral movement, the lower the blast radius.

What to do (stabilize and preserve)

• Start an incident log: timestamps, who did what, and why (critical for insurance/legal).
• Preserve evidence first: keep copies of ransom note(s), a few encrypted samples, and earliest alert timestamps.
• Contain access paths: focus on identity (IdP sessions), remote access (VPN/RDP), and admin tooling.
• Protect backups and virtualization: restrict access immediately; monitor for deletion/tampering attempts.
• Coordinate changes: reduce “random clicking” that breaks the timeline.

What NOT to do (common mistakes)

• Don’t wipe systems first: you’ll destroy the trail that proves entry point and scope.
• Don’t globally reset everything blindly: it can break services, increase downtime, and still miss persistence.
• Don’t re-enable compromised remote access: attackers often return through the same path.
• Don’t restore before scoping: restoring into an environment with active access can cause re-encryption.
• Don’t negotiate from compromised systems: keep comms isolated and controlled.

Phase 1: Initial access

Commonly: stolen credentials, exposed remote services, phishing-led credential capture, third-party access, or exploitation of internet-facing applications. Defender focus: identify the first confirmed access timestamp, source IP / device, and the account or service used.

Phase 2: Privilege and foothold strengthening

Privilege changes, new admin roles, persistence mechanisms, and credential/token reuse. Defender focus: correlate identity logs with endpoint telemetry and unusual admin actions.

Phase 3: Discovery and lateral movement

Rapid enumeration of hosts, file shares, virtualization, backup infrastructure, and high-value data stores. Defender focus: bursts of authentication across many hosts, remote execution at scale, and abnormal admin tooling patterns.

Phase 4: Data staging and extortion prep

Compression bursts, bulk file operations, abnormal outbound transfers, and unusual cloud storage usage. Defender focus: large egress events + staging indicators near privileged sessions.

Phase 5: Impact

Encryption deployment, policy tampering, backup access attacks, and ransom note delivery. Defender focus: stop spread, isolate segments, preserve early impacted hosts for imaging and timeline reconstruction.

Phase 6: Negotiation and pressure

Extortion communications, proof-of-data claims, pressure deadlines, and sometimes additional disruption. Defender focus: validate claims from evidence; manage communications and decision workflows safely.

Initial access and execution

Watch for unusual remote logins, suspicious authentication sequences, and administrative execution outside normal change windows. Focus on newly observed remote access paths, “first-seen” devices, and unexpected interactive logins by service accounts.

MITRE mapping: Initial Access, Execution

• New remote access sessions from unfamiliar device fingerprints
• Abnormal authentication sequences (impossible travel, MFA anomalies)
• Admin tooling execution on endpoints that normally never run admin workflows

Persistence and privilege escalation

Ransomware operators need reliable access and elevated control before impact. Hunt for “privilege shifts” and “new persistence,” not single hashes.

MITRE mapping: Persistence, Privilege Escalation

• New privileged group memberships / role assignments (including cloud roles)
• New scheduled execution patterns, services, or remote management configurations
• Policy drift: MFA/Conditional Access/EDR exclusions or agent tamper changes

Credential access and discovery

Credential access is the bridge from “one system” to “enterprise-wide.” Discovery identifies AD, backups, hypervisors, shares, and sensitive data stores.

MITRE mapping: Credential Access, Discovery

• Suspicious authentication to domain controllers and identity infrastructure
• Rapid directory and share discovery patterns from non-admin endpoints
• Service account anomalies: interactive logins or new usage paths

Lateral movement and command & control

Lateral movement shows up as bursts: remote execution at scale, new remote service creation, and “admin auth spray” across many hosts. C2 blends into normal encrypted traffic—correlation matters.

MITRE mapping: Lateral Movement, Command and Control

• Remote execution patterns at scale (host-to-host bursts)
• Unusual admin authentication to many servers in a short window
• New outbound destinations, new geographies, or new “always-on” beacons

Defense evasion

Many ransomware intrusions include attempts to reduce visibility: logging changes, EDR exclusions, tampering, or disabling security services. These are often high-confidence early warnings.

MITRE mapping: Defense Evasion

• Security tooling policy changes you didn’t authorize
• Agent health drops correlated with privileged sessions
• Log retention/config changes or sudden gaps in telemetry

Exfiltration and impact

Extortion cases often include staging and egress before encryption. Impact includes encryption deployment plus actions that disrupt recovery (backup targeting, virtualization disruption, mass file operations).

MITRE mapping: Exfiltration, Impact

• Compression bursts + bulk file operations near privileged sessions
• Abnormal outbound transfers to new endpoints or storage services
• Signs of recovery destruction: backup access attempts, unusual admin changes

Timeline A: “Fast mover” (hours to impact)

T+00:00 suspicious remote login + immediate privileged activity.
T+00:30 bursts of authentication to multiple servers; remote execution artifacts appear.
T+01:30 backup/virtualization access attempts; security tooling policy drift.
T+03:00 mass file operations begin; encryption deployment observed on shares.
T+04:00 extortion note delivered; negotiation pressure begins.

Defender win condition: stop identity sessions and remote execution before the “burst” becomes enterprise-wide.

Timeline B: “Slow burn” (days to impact)

Day 1 initial access and low-noise discovery on a subset of systems.
Day 2–3 privilege escalation + persistence + service account abuse patterns.
Day 4 data staging indicators; compression bursts; abnormal outbound transfers.
Day 5 recovery destruction prep (backup targeting, hypervisor interest).
Day 6 coordinated encryption event + extortion communications.

Defender win condition: catch the privilege/persistence phase—before staging and recovery destruction.

Identity indicators

• New privileged role assignments or group membership changes
• New MFA enrollment patterns or Conditional Access changes
• Service accounts showing interactive login behavior
• Session/token anomalies (sudden device changes, risky sign-ins, impossible travel)

Endpoint / server indicators

• Remote execution bursts and scheduled execution at scale
• Security control tampering (agent health drops, exclusions, policy drift)
• Large-scale share enumeration and mass file modifications
• New services/tasks consistent with enterprise-wide deployment behavior

Network indicators

• New outbound destinations not previously seen in your environment
• Large outbound transfers correlated with compression/staging signals
• Admin host “fan-out” authentication to many servers in short windows
• Unusual traffic touching backup, hypervisor, storage management planes

Technical indicators (use carefully)

Technical IOCs can be useful but are often campaign-specific. If you have a ransom note or samples, we can extract reliable indicators quickly.

• Ransom note naming conventions and placement patterns
• Encrypted extension patterns (if present) and file operation sequences
• Known “impact prep” commands found in logs (hunt, don’t run)

Most common initial access categories

• Valid accounts: stolen credentials, password reuse, session/token theft, MFA weaknesses
• Exposed remote services: VPN gateways, RDP exposure, remote admin interfaces
• Internet-facing apps: unpatched edge devices and public applications
• Third-party access: vendor VPN, MSP tools, unmanaged service accounts

Defender action: how to confirm (without guessing)

• Identify earliest confirmed suspicious login, then trace lateral movement forward
• Audit privileged role assignment changes and “first seen” devices
• Review VPN/edge logs for new or unusual auth patterns
• Check patch status and exploit telemetry on internet-facing systems

Common capability buckets

• Remote admin & execution: used for enterprise-wide tasking and deployment behaviors
• Credential access helpers: enable movement from one system to many
• Discovery & mapping tooling: identifies AD, shares, backups, hypervisors, and sensitive data stores
• Staging & transfer tooling: compression + outbound transfer patterns
• Impact tooling: encryption deployment + recovery disruption patterns

Defender focus: where these show up

• “Admin tooling” appearing on endpoints that typically never run admin tasks
• Remote execution artifacts on servers outside change windows
• Unusual access to backup consoles, hypervisors, storage controllers
• Large file operations and compression bursts prior to impact

What we scope first

Identity events, DC activity, privileged account changes, remote execution evidence, backup access, and signs of staging or exfiltration.

• IdP sign-in logs, risky sign-ins, role changes, session revocations
• EDR telemetry for first execution and lateral movement signals
• VPN/edge logs and any internet-facing application logs
• Backup/hypervisor audit trails and admin console access events

What we deliver

A clear intrusion timeline, identified entry points and persistence, impacted asset list, evidence set for insurance and legal, and a prioritized remediation roadmap.

• Defensible timeline (who/what/when/where), with supporting artifacts
• Impact scope: encrypted systems, lateral spread, privileged compromise
• Exposure scope: credible assessment of data staging / exfil risk
• Recovery plan designed to prevent re-encryption

Safe recovery steps

Validate backups, restore in a controlled order, rotate credentials, remove persistence, confirm systems are clean, and verify that attackers no longer have access before reconnecting environments.

• Restore only after entry paths and persistence are closed
• Prioritize identity and privileged account cleanup
• Harden remote access and admin pathways before broad reconnect
• Validate monitoring before declaring “back to normal”

Hardening priorities

Improve identity controls, deploy or strengthen EDR, centralize logs into a SIEM, implement vulnerability management, reduce standing admin access, and segment critical infrastructure.

• MFA everywhere + phishing-resistant methods for privileged roles
• EDR tamper protection + removal of risky exclusions
• Backup immutability + separate credentials + tested restore drills
• Patch cadence focused on edge, VPN, and public applications

Operationally complex environments

• Transportation, freight, carriers, and logistics operations
• Manufacturing and industrial organizations
• Agriculture, large farms, and wineries
• Automotive dealerships and repair services

Data-heavy and regulated environments

• Healthcare and professional services
• Retail and ecommerce businesses
• MSPs and IT service providers
• State and local government and regulated organizations