← Back to Blog
Rachel Moore, Incident Response Ransomware

Ransomware Defense: The Enterprise Playbook

Ransomware defense enterprise playbook

Ransomware has evolved from opportunistic malware targeting consumers and small businesses to a sophisticated, organized criminal industry that generates billions of dollars annually by targeting large enterprises, critical infrastructure, and government agencies. The ransomware-as-a-service model, in which ransomware developers lease their malware to affiliate operators who conduct the actual intrusions in exchange for a revenue share, has dramatically lowered the barrier to entry for enterprise-targeting attacks while enabling the developers to focus on technical sophistication and scale. Today's ransomware groups operate with the organizational structure and technical capability of professional nation-state actors, employing dedicated negotiators, customer service staff, and technical support teams to manage their criminal enterprise at scale.

Modern ransomware operations have also abandoned the "spray and pray" approach of early ransomware in favor of targeted, high-dwell-time intrusions. The typical enterprise ransomware incident in 2024 involves an initial access phase (usually via phishing, exploitation of internet-facing vulnerabilities, or purchase of stolen credentials from initial access brokers), followed by a reconnaissance and lateral movement phase lasting days to weeks, followed by data exfiltration, and finally ransomware deployment. This extended dwell time before detonation is both the primary risk factor — the attacker has weeks to steal data, establish persistence, and position for maximum impact — and the primary opportunity for defenders — behavioral detection systems have weeks of observable attacker activity to surface before the most damaging phase begins.

Initial Access Prevention: Closing the Entry Points

The initial access vectors for ransomware intrusions are well-characterized and remediable. Phishing — particularly spear phishing that targets specific employees with contextually relevant pretexts — remains the most common initial access vector, accounting for approximately 40 percent of ransomware incidents in recent analyses. Email security controls that provide anti-phishing protection beyond basic spam filtering — including sandboxed attachment analysis, real-time URL detonation, and impersonation detection for executive accounts — materially reduce phishing risk, though no technical control eliminates it entirely. Security awareness training that specifically addresses phishing recognition, including simulated phishing exercises with immediate educational feedback, reduces susceptibility rates by 50 to 75 percent in well-run programs.

Exploitation of internet-facing vulnerabilities is the second most common initial access vector, and the one most directly addressable through technical controls. The specific software categories most commonly exploited are highly consistent across ransomware groups: VPN and remote access appliances, remote management interfaces, email gateways, and file transfer solutions are disproportionately represented in initial access telemetry. Aggressive patching of internet-facing systems, combined with attack surface reduction to eliminate unnecessary exposure, addresses the majority of this risk. Where immediate patching is not feasible — often the case for appliances with restrictive maintenance windows — network-based virtual patching (deploying compensating controls at the network level that block known exploit traffic) provides interim protection.

Credential compromise via initial access brokers is an increasingly prevalent vector that is less visible to traditional security controls. IABs purchase stolen credentials from infostealer malware operations, credential stuffing attacks, and phishing campaigns, then sell access to enterprise networks to ransomware affiliates. Monitoring dark web markets and paste sites for leaked credentials associated with your organization's email domain — a capability provided by several threat intelligence services — enables detection and remediation of compromised credentials before they are weaponized. Mandatory password resets for any identified compromised credentials, combined with MFA enforcement on all externally accessible services, closes this vector for most organizations.

Detection During the Pre-Detonation Phase

The pre-detonation phase — the period between initial access and ransomware deployment — is where behavioral detection provides its most critical value in ransomware defense. During this phase, attackers are conducting internal reconnaissance, harvesting credentials, moving laterally to high-value targets, establishing persistent backdoors on multiple systems, and staging data for exfiltration. Each of these activities generates behavioral signals that deviate from normal organizational patterns, and detecting them enables containment before the most damaging phase begins.

Key detection opportunities during the pre-detonation phase include anomalous internal reconnaissance (unusual port scans, SMB enumeration, Active Directory object queries from non-administrative accounts), credential harvesting attempts (LSASS memory access from non-standard processes, kerberoasting attacks detected through Kerberos event logs, unusually large numbers of LDAP queries), lateral movement (authentication events from accounts accessing systems outside their normal scope, pass-the-hash and pass-the-ticket indicators in authentication logs, remote service creation events), persistence establishment (unusual scheduled task creation, registry run key modifications, new services installed on multiple systems), and data staging and exfiltration (large file copies to external storage devices or cloud sync folders, unusual outbound data transfer volumes, access to file shares outside normal patterns).

The challenge for detection teams is that many of these activities use legitimate administrative tools and protocols — a technique called "living off the land" that makes signature-based detection ineffective. Behavioral analytics that establish baselines and detect deviations are essential; a system administrator account that has never accessed more than five hosts per day accessing 200 hosts in a four-hour window is exhibiting behavior that is statistically anomalous regardless of whether a recognized hacking tool was used.

Backup Architecture for Ransomware Resilience

Backup integrity is the foundation of ransomware resilience. An organization with tested, ransomware-resistant backups has fundamentally different response options than one without: they can decline to pay ransom and restore operations from backup rather than negotiating under duress. Achieving this position requires backup architecture that accounts for the specific tactics ransomware groups use to neutralize backups before deploying their payload.

Ransomware operators specifically target backup systems to prevent recovery. Common backup neutralization techniques include deleting volume shadow copies (VSS delete is one of the most consistent pre-detonation actions across ransomware families), accessing and encrypting network-accessible backup storage, compromising backup management consoles via administrative credentials obtained during the lateral movement phase, and poisoning backup data by establishing persistence within virtual machines that are then backed up — meaning the backups contain the attacker's foothold and re-infection occurs upon restore.

Hardening backup architecture against these techniques requires several specific controls: immutable backup storage (storage that cannot be modified or deleted after write, using either object lock features in cloud storage or hardware write-once media), air-gapped backup copies that are physically or logically isolated from the production environment and unreachable via network protocols during normal operations, dedicated backup service accounts with restricted privileges that do not overlap with production administrative accounts, offline copies of critical backup data maintained at defined intervals, and regular restore tests that verify backup integrity and validate recovery time objectives. The restore test cadence is often the weakest link: backups that have never been successfully restored are an untested assumption rather than a verified control.

Double Extortion and Data Protection

Modern ransomware groups routinely conduct double extortion: before deploying the encryption payload, they exfiltrate sensitive data and threaten to publish it unless the ransom is paid. This technique effectively eliminates the backup-based recovery path as a complete defense, because even organizations that can recover from backups face the threat of sensitive data publication — customer PII, financial records, intellectual property, executive communications — if they decline to pay.

Defending against double extortion requires data protection controls that limit the volume and sensitivity of data that can be exfiltrated during an extended pre-detonation intrusion. Data classification and access controls that restrict sensitive data to systems and accounts that legitimately need it — rather than allowing broad access across the enterprise network — limit exfiltration potential. DLP controls on egress channels (email, cloud upload, removable media) detect and block bulk data transfer. Network behavior monitoring that establishes baseline outbound data transfer volumes and alerts on significant deviations provides early warning of staged exfiltration. And cloud access security broker (CASB) controls on sanctioned and unsanctioned cloud services prevent data staging to personal cloud storage accounts, which ransomware operators commonly use for exfiltration to avoid traditional DLP controls.

Key Takeaways

  • Modern ransomware attacks have multi-week pre-detonation phases — behavioral detection during this window is the highest-leverage defense available to enterprises.
  • Initial access prevention should focus on the three dominant vectors: phishing, internet-facing vulnerability exploitation, and stolen credential use via initial access brokers.
  • Backup architecture must specifically account for ransomware backup neutralization tactics — immutable storage, air-gapped copies, and regular restore tests are all required.
  • Double extortion eliminates backup-based recovery as a complete defense; data classification and DLP controls are necessary to limit exfiltration damage.
  • Living-off-the-land techniques make pre-detonation detection dependent on behavioral analytics, not signature-based tools.
  • Ransomware incident response plans must address the double extortion negotiation decision at the executive level before an incident occurs — not in the middle of one.

Conclusion

Ransomware is the most financially damaging category of cybercrime targeting enterprises today, and its evolution toward targeted, high-dwell-time operations means that organizations without mature detection capabilities have a very different ransomware risk profile than those that can surface pre-detonation activity. The enterprise ransomware playbook described here — prevention controls for the major initial access vectors, behavioral detection focused on the pre-detonation phase, ransomware-resistant backup architecture, and data protection controls against double extortion — does not guarantee immunity, but it dramatically changes the outcome distribution. Organizations that implement it consistently find that ransomware intrusions are detected and contained before detonation far more often than in organizations that rely primarily on perimeter prevention and backup recovery. Given the stakes, the investment in that capability is among the most clearly justified in the security program portfolio.