Share on:

Ransomware attacks are increasingly targeting small and mid-sized organizations, and they often start with many indicators that can be missed by small teams that lack the resources to detect and respond to them in a timely manner. 

For example, in recent Microsoft Exchange attacks involving four new vulnerabilities, attackers were able to gain a foothold in targeted environments and maintain persistent access for many months before initial detection.

Reducing your organization’s time to detection and time to remediation are key metrics of success for CISOs (Chief Information Security Officers), CIOs (Chief Information Officers) and VPs or Directors of Information Technology (IT). Tracking your improvements in these areas are top of mind for executive and board members as indicators of more efficient and effective security operations.

Want to learn more? Join our 20-minute Security How To: Stop a Ransomware Attack on April 29 at 1pm ET for a quick overview of how to detect and respond to attacks.

But what are the different stages of a multi-stage, targeted ransomware attack, and how can you monitor attacker behavior patterns, identify activity that leads up to a data breach, and alert your team to take action quickly? 

Stages of ransomware We break down each stage below, with examples of attacker behavior you should detect in order to disrupt the ransomware kill chain:


In this stage, an attacker uses different techniques to gain knowledge about your system and network. They explore what they can either control or exploit in your environment to achieve their objectives.

Example Detection

Reconnaissance Scanning From a Known Threat: If you detect an internal or external source attempting to scan your network to perform reconnaissance or discovery based on firewall traffic anomalies, this might be an indication that an external attacker is attempting to determine which of your hosts are vulnerable.

Gain Foothold

Attackers gain initial entry by using hacker tools, phishing, brute-force attempts (including password spraying) to steal usernames and passwords, then log in to your systems remotely.

Example Detection

Authentication Attempt from Unlikely Location: An authentication attempt by one user originating from two different locations within a certain time period could indicate an attacker has stolen their credentials and is attempting to access your systems.

Escalate Privileges

Once inside, an attacker might seek to elevate their permissions or create new domain or administrator accounts via Active Directory in order to move around laterally, getting access to sensitive data or other target systems.

Example Detection

Suspicious Additions to Sensitive Groups: It’s key to detect when new users are added to a privileged group on your network, since attackers may do this to access more resources and gain persistence.

Execute Files

To further assist with an attack, an attacker might execute an application that attempts to drop code (a new file or script) onto your machines, or run malicious applications (malware) within your environment. 

Example Detection

Application Dropped an Executable or Script: Detecting when an application has dropped code on an endpoint in your environment can be an indicator of a user downloading a potentially malicious script.

Exfiltrate Data

Attackers may use different techniques to steal data from your network once they’ve collected data. They may compress and encrypt data to avoid detection when sending it back to their own command and control servers.

Example Detection

500GB+ Outbound Connection via Generic Network Protocol: This can indicate a business-related connection, or potential data exfiltration by an attacker attempting to steal your data.

Deploy Ransomware

At this point, an attacker may encrypt your data on target systems across a network, locking out access to users. They typically will demand a ransom in exchange for decryption or regaining access to their data and systems.

Example Detection

Malware Application: The initial detection of malware can help you identify adware, potentially unwanted programs, commodity viruses and ransomware – it’s recommended to find the root cause of a malware infection for critical severity events.

Detect and Respond Early to Stop a Ransomware Attack in Progress

By increasing your detection time of identifying the attacker behaviors above, your IT or security team can quickly investigate and respond in time to prevent ransomware infection. By leveraging automation and pre-built rules, Blumira’s cloud SIEM helps you quickly prevent, detect and respond to attacks before they result in ransomware infection.

Here are just a few examples of how:

Discovery: Scanning is one way attackers perform reconnaissance on your network. By detecting source IPs running port scanning tools on your network, Blumira can detect and alert you to an attacker early in the stages of an attack, before ransomware infection.

Credential Access: By brute-forcing or buying stolen RDP (Remote Desktop Protocol) credentials, an attacker can gain access to infect your network with ransomware. Password spraying is another method used to gain initial access. Blumira can detect password spraying, account lockouts, RDP connections, open ports and more.

Privilege Escalation: Blumira can detect and alert you whenever administrator-level accounts are added, and provide your IT or security team with guidance on how to mitigate the risk of privilege escalation.

Take Action to Disrupt Ransomware

To see the complete list of detections Blumira can provide, check out our use case page on Ransomware Prevention and Detection. Or, get a free trial to deploy in hours and start protecting against ransomware attacks today.

Want to learn more? Watch our 30-minute Security How To: Stop a Ransomware Attack on demand for a quick overview of how to detect and respond to attacks.

Security news and stories right to your inbox!