Ransomware Indicators — Pre-Encryption Activity

MITRE ATT&CK

Security Relevance

Modern ransomware attacks are not spontaneous — they follow a structured intrusion methodology that can take days or weeks from initial access to encryption. The pre-encryption phase leaves a trail of Windows events that, if detected early, allow defenders to eject the attacker before any data is encrypted. The attack typically progresses: initial access → lateral movement → privilege escalation → defense evasion (Defender disable, log clear) → persistence → encryption. Each stage is visible in Windows event logs.

Indicators of Malicious Use

• ⚑Event ID 1102 (audit log cleared) across multiple systems — attackers clear logs immediately before or after encryption to destroy forensic evidence.
• ⚑Event ID 7036: VSS (Volume Shadow Copy Service) stopped — ransomware deletes shadow copies to prevent recovery. This happens minutes before encryption starts.
• ⚑Event ID 4688: vssadmin.exe delete shadows /all or wmic shadowcopy delete in process creation logs — the shadow copy deletion command.
• ⚑Event ID 7045: New service with a random name (e.g. abcdef12.exe) in C:\Windows\Temp — ransomware payload installed as a service for execution.
• ⚑Event ID 1116: Mass Defender detections across multiple endpoints in a short window — ransomware binary triggering AV on many systems simultaneously.
• ⚑Event ID 4698: Scheduled tasks created with encoded PowerShell commands — persistence mechanism deployed before encryption.
• ⚑Event ID 4624 Type 3: Wave of lateral movement across the network from a single source — ransomware spreading to reach all accessible systems.
• ⚑Sudden silence in all logs followed by system unavailability — encryption has started and event logging is disrupted.

Example Log Entry

[Pre-encryption activity sequence — look for this pattern:]

T-60 min  Event ID 7036  WinDefend service: stopped
T-55 min  Event ID 4657  DisableAntiSpyware registry key set to 1
T-40 min  Event ID 4624  (Type 3) — lateral movement wave to 12 hosts
T-30 min  Event ID 7045  Service "svchostXX.exe" installed in C:\Windows\Temp
T-20 min  Event ID 4688  vssadmin.exe delete shadows /all /quiet
T-15 min  Event ID 1102  Security audit log cleared
T-00 min  [Encryption begins — no further events logged normally]

Log Name: System
Event ID:  7036
The Volume Shadow Copy service entered the stopped state.

Log Name: Security
Event ID:  4688
New Process Name:  C:\Windows\System32\vssadmin.exe
Process Command Line: vssadmin  delete shadows /all /quiet

Investigation Steps

1. 1.Establish the timeline — find the earliest suspicious event and work forward. Ransomware pre-encryption sequences typically span 15–60 minutes.
2. 2.Check all systems for the same pattern — ransomware encrypts the network, not just one machine. Look for 4624 Type 3 lateral movement events as the spread vector.
3. 3.Look for the initial access event — phishing (Defender detection on email attachment), VPN logon from unusual IP, or RDP brute force (4625 spike) days or weeks earlier.
4. 4.Check VSS status immediately: vssadmin list shadows. If shadow copies are gone, recovery options are limited to backups.
5. 5.Identify patient zero — which host had the first unusual event? That is the initial compromise point and most valuable forensic artifact.
6. 6.Do not reboot infected systems — memory forensics may still be possible. Isolate from the network instead.
7. 7.Check backup systems — verify backup integrity before attempting restoration. Some ransomware specifically targets and corrupts backup infrastructure.

Common False Positives

• ◎VSS stopping during Windows Update — updates occasionally pause VSS temporarily. This generates a 7036 stop event but VSS restarts within minutes.
• ◎Backup software operations — Veeam, Acronis, and similar products interact heavily with VSS. Scheduled backup jobs generate VSS state changes.
• ◎Log archival and rotation — some organizations clear event logs as part of a documented archival process. Should always be accompanied by export to a SIEM.
• ◎Security testing and DR exercises — tabletop exercises or red team engagements may simulate ransomware indicators. Verify against your testing calendar.

Remediation

• ✓Isolate affected systems immediately — disconnect from the network to stop ongoing encryption and lateral spread.
• ✓Do not pay the ransom without consulting law enforcement and legal counsel — payment does not guarantee decryption and may violate sanctions.
• ✓Restore from clean, offline backups — verify backup integrity before restoring (test restores on isolated systems first).
• ✓Enable Tamper Protection on all endpoints to prevent Defender from being disabled without admin consent.
• ✓Implement the 3-2-1 backup rule: 3 copies, 2 different media types, 1 offsite — ransomware targets network-connected backups.
• ✓Deploy Controlled Folder Access in Defender to block unauthorized processes from writing to protected directories.
• ✓Engage an incident response firm if the attack is active — contain and eradicate before restoring to avoid re-infection.

Related Event IDs

Related Detection Guides