Talk With an Expert

Facing Ransomware Head-On: Practical Actions for Responders

Authored byRyan Chapman
Ryan Chapman

Ransomware and cyber extortion are no longer abstract threats. Rather, they represent two of the most critical crises organizations face today. Attackers are refining their playbooks daily, often blending data theft, disruption, and direct pressure on their victim organizations along with executives, partners, vendors, suppliers, and more. The only real way to prepare is to face the problem head-on.

Below are practical insights that align with how real-world incidents unfold—steps you can take now to strengthen your investigations and response capabilities.

Use Readily Available Tools

Responders don’t need expensive licenses to start building resilience! Free and open-source tools can provide incredible visibility and response capabilities, if you know how to use them:

  • Sysmon: Augment your logging capabilities to bolster detection and response capabilities.
  • KAPE + Velociraptor: Collect and parse evidence quickly.
  • Plaso (log2timeline): Build timelines of attacker activity.
  • Elastic Stack + Timesketch: Analyze investigation data.

These free tools can help your organization detect ransomware and cyber extortion attacks sooner and respond in a timely manner.

Prepare Based on Your Visibility

Not every environment has advanced telemetry. Some teams have extended telemetry (e.g., Sysmon and/or E/XDR logging), while others only have the basics provided by default configurations. You need to understand your organization’s and client’s environments so you can refine your playbooks to the environment(s) to which you have access.

  • Minimal Logging: Security Event IDs such as 4624 (successful logon), 4625 (failed logon), 4688 (process creation), and 4689 (process exit) are critical to understanding the threat(s) at hand.
  • Advanced Telemetry: Using Sysmon and/or X/EDR, track parent-child anomalies such as Word spawning PowerShell or rundll32.exe being abused for attacks.

If you only practice one approach, you’ll be blindsided by the other!

Recognize the Early Clues of Encryption

By the time ransom notes appear, the damage is done. Responders must train to recognize signs of initial access, but at the very least should also be able to spot and automate responses to the first signs of encryption:

  • Deletion of shadow copies (e.g., vssadmin delete shadows /all /quiet)
  • Backup tampering (e.g., wbadmin delete catalog or bcdedit /set {default} recoveryenabled no)

Spotting these actions can buy critical response time!

Map Your Response to the Full Lifecycle of a Ransomware or Cyber Extortion Attack

Ransomware and cyber extortion are not single events—they are ongoing attack campaigns. Typical incidents include:

  1. Initial Access: Social engineering, remote access, or vulnerability exploitation
  2. Execution: Living-off-the-land attacks, attack frameworks [e.g., Cobalt Strike), vulnerable drivers, bring-your-own-tools [BYOT], or scripting
  3. Persistence: RMMs, registry mechanisms, account creations, or WMI subscriptions
  4. Privilege Escalation and Credential Access: LSASS dumping, NTDS.dit extraction, or bypassing UAC
  5. Lateral Movement: RDP, SMB [e.g., PsExec], or WinRM
  6. Active Directory Attacks: Enumeration, Kerberoasting, AS-REP Roasting, or DCSync attacks
  7. Data Access: SMB or registry artifacts
  8. Exfiltration: Data archival, data compression, cloud-based file sharing, FTP, and synchronization clients [e.g., Rclone, WinSCP, MEGASync]
  9. Encryption: Backup and recovery tampering, payload deployment, and ransom notes

Training your team to recognize each stage means you can intervene before encryption begins.

Facing Ransomware Head-On

The ransomware crisis won’t be solved by ignoring it or by negotiation strategies. Responders must practice using the same tools and artifacts they’ll find in their monitored environments. The more hands-on your preparation, the more confident your response will be when it matters.

SANS FOR528: Ransomware and Cyber Extortion is the definitive training course for professionals who need to strengthen their ransomware and cyber extortion response skills. This hands-on program teaches responders how to investigate real-world incidents, analyze attacker tactics, and build defenses across the full ransomware lifecycle. By completing FOR528, security teams gain the expertise needed to detect, contain, and recover from ransomware attacks while minimizing risk, downtime, and data loss.

Take the only course where you build, run, and break down ransomware end-to-end.

Learn more about FOR528: Ransomware and Cyber Extortion.