Talos Finds Swift Response Key to Blocking Ransomware Deployment

A retrospective analysis by Cisco Talos Incident Response (Talos IR) examined a series of pre-ransomware engagements spanning from January 2023 through June 2025. These incidents shared insightful adversary behaviors frequently seen in the lead-up to full ransomware deployment. Talos categorized incidents as "pre-ransomware" when actors were observed attempting domain-level privilege escalation, deploying remote access tools, credential harvesting, or modifying system configurations, all without triggering encryption events. The analysis indicates that even if some of these operations were led by initial access brokers (IABs), the tactics strongly aligned with the early stages of ransomware campaigns. Talos IR maintains high confidence that these activities, even if not leading directly to ransomware in each case, mirror the groundwork for ransomware deployment.

Talos IR found that swift engagement with response teams and immediate action on security alerts were the two most significant factors in disrupting the attack chain. Each accounted for 32% of pre-ransomware incidents where encryption was successfully prevented. According to Cisco Talos, “organizations’ robust security restrictions were key in impeding ransomware actors’ attack chains in nine percent of engagements. For example, in one engagement, the threat actors compromised a service account at the targeted organization, but appropriate privilege restrictions on the account prevented their attempts to access key systems like domain controllers.” Other successful mitigation factors included early warnings from U.S. government or managed service providers (14%), proactive blocking and quarantining of malicious activity (13%), and effective implementation of least privilege access and segmentation. In several cases, organizations that delayed involving Talos IR suffered data theft, tool disablement, and backup corruption, underscoring the importance of immediate escalation.

The most frequently observed techniques aligned with widely known MITRE ATT&CK patterns. Remote Services (T1021) such as RDP and PsExec, Remote Access Software (T1663) like AnyDesk and Quick Assist, and OS Credential Dumping (T1003) through LSASS and NTDS.DIT were commonly seen. Phishing (T1566) and Network Service Discovery (T1046) using tools like nltest and netview also featured prominently. Talos IR emphasized that adversaries often used these tools and techniques as preparatory steps before encryption. These patterns signal to defenders that restrictions on remote access tools, improved credential store protections, and network discovery monitoring remain critical. Additionally, Talos IR highlighted that organizations with solid event logging infrastructure, such as centralized SIEMs, were better positioned to reconstruct attack chains and implement more targeted security improvements.

Talos IR’s most common recommendations for strengthening defenses include keeping all systems and software fully patched, enforcing multi-factor authentication across all critical services, and deploying Sysmon for better visibility. Other key actions involve offline storage of backups, strict application control, meaningful firewall configurations, and robust network segmentation to limit lateral movement. Talos also emphasized the importance of user training, especially on emerging tactics such as MFA fatigue and token phishing. By analyzing pre-ransomware engagements and identifying effective deterrents, Talos IR’s findings provide a guide for organizations to proactively reduce risk and delay or entirely prevent ransomware deployment.