Ransomware continues to plague organizations and governments worldwide. In fact, in just the last few weeks, several major federal, state and local governments have been impacted by various ransomware operators. There are also reports of defense contractors being hit hard as well. This is in addition to reports that ransomware attacks against hospitals and health care providers increased 94% last year alone. All of this has left CISOs and other security professionals asking: “how to prevent ransomware”? While there is no silver bullet on how to prevent ransomware, we have put together 5 of the most common behaviors we have seen ransomware operators employ, to enable effective threat hunting.
Before we go over our ransomware behaviors, I wanted to let you know that all of the ransomware behaviors you’re going to see below are available for FREE as hunt packages in our HUNTER threat hunting content platform! If you would like the query, runbook, and so much more, go to https://hunter.cyborgsecurity.io click sign up and use promocode “RANSOMWARESUCKS” for your free community edition account!
When ransomware gangs compromise a system, they often employ the use of binaries native to Windows systems (Living off the Land Binaries) to investigate the system and network that they infiltrated, gain credentials, or establish persistence without raising much suspicion. This includes gathering information on the host and domain they landed on or using tools such as `schtasks` as a means of maintaining access to the system. The reason they often utilize binaries native to Windows to accomplish this is due to them appearing less conspicuous and more legitimate in comparison to custom tools, in addition to anti-virus and other endpoint protection not alerting on them.
Ransomware notes are generally dropped in common paths, including a user's desktop, so they are more visible. These notes may use image files, .txt files and/or .doc files to act as the vehicle for communication. Attackers may also leave these ransomware notes in every folder or directory they choose to encrypt. This threat focuses on these notes being dropped excessively, which potentially is indicative of ransomware activity.
Several ransomware families use this technique to stop services once sufficient privileges are obtained, often related to the security or the health of the compromised system. Analysts can look for an excessive number of services being stopped/disabled. Even if the attempts fail, it can be indicative of malware or malicious activity on the system.
For this hunt we encourage security teams to focus on actors attempting to stop multiple services utilizing 'net.exe' or 'sc.exe,' potentially rendering a system more susceptible for further attack.
Many ransomware payloads or adversaries utilize this technique to disable AV, logging, EDR, and other health-related services once sufficient privileges are obtained. Analysts can look for an excessive number of services being disabled, even if the attempts fail, as it can be indicative of malicious activity on the system. Some malware families or adversaries will also search for specific AV services that are running on the system, instead of relying on lists, and in this case, it may be noted that only a few services are disabled.
Volume Shadow Copy Service is a framework provided in Microsoft Windows operating systems to perform volume backups or for creating consistent, point-in-time copies of data (known as shadow copies). Due to the features that Volume Shadow Copies provide, such as the ability to roll back to a specific point-in-time copy of an NTFS volume, the copies are often targeted by malware. Nearly every Ransomware variant ensures destruction of Volume Shadow Copy (VSC) backups, so that the infected user cannot easily restore their encrypted files. Similarly, the Volume Shadow Copy (VSC) backups have also been observe being targeted by Wiper malware variants (such as the "Olympic Destroyer" malware, which targeted the 2018 Winter Olympics in PyeongChang, South Korea), as well as Loader malware variants (such as the H1N1 Trojan Downloader).
While ransomware continues to be the bane of many companies and governments worldwide, proactive hunting can help identify these behaviors before the adversary has a chance to carry out their objective and help CISOs answer the burning question of “how to prevent ransomware.”
Initial access brokers sell information about or access to compromised computers. Here's how to threat hunt for a known attack behavior involving PowerShell that's used by a prolific initial access broker.
In July 2025 threat actors exploited zero-day vulnerabilities in on-premises Microsoft SharePoint servers in an incident known as ToolShell. In this case study, we conduct a threat hunt for ToolShell-related activity.
Guided Threat Hunts offers a library of Pivot Queries for hundreds of hunt packages that enable your threat hunters and analysts to overcome uncertainty and boost productivity. Guided Threat Hunts is a set of packages that assists users modify their result set to decide their next step and filter out noise from extraneous results.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.