Cisco Talos Blog: Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response

Sep 8, 2025

—

Source URL: https://blog.talosintelligence.com/stopping-ransomware-before-it-starts/
Source: Cisco Talos Blog
Title: Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response

Feedly Summary: Explore lessons learned from over two years of Talos IR pre-ransomware engagements, highlighting the key security measures, indicators and recommendations that have proven effective in stopping ransomware attacks before they begin.

AI Summary and Description: Yes

Summary: The text discusses findings from Cisco Talos Incident Response regarding pre-ransomware incidents, emphasizing effective security measures that mitigate the risk of ransomware attacks. It reveals key tactics utilized by adversaries and identifies actionable recommendations for organizations to enhance their defensive posture against these threats.

Detailed Description: The analysis from Cisco Talos focuses on engagements over two and a half years, designating incidents that occur prior to a ransomware attack as “pre-ransomware.” Here are the critical insights and recommendations extracted from the text:

– **Engagement Timeliness**:
– Early engagement with Talos IR (within one or two days) significantly deters ransomware attacks, allowing for extensive threat landscape insights and proactive measures.

– **Rapid Alert Response**:
– Timely response to alerts from EDR or managed detection and response solutions, especially within two hours, is correlated with successful threat isolation in a substantial number of engagements.

– **Key Indicators and Indicators of Compromise (IOCs)**:
– Specific actions by adversaries are characterized as pre-ransomware activities, including attempts to gain administrative access and deploy command-and-control solutions. Common pre-ransomware indicators have been classified into Tactics, Techniques, and Procedures (TTPs).

– **Collaboration with Government Entities**:
– Notifications from government representatives, particularly the Department of Homeland Security’s CISA, proved crucial for organizations to mitigate potential ransomware attacks.

– **Security Solutions and Configuration**:
– Proper configuration of security tools to actively block threats can significantly impede adversaries. Passive tool deployment can exacerbate vulnerabilities rather than mitigate them.

– **Security Restrictions**:
– Robust access controls can hinder adversaries’ progress, emphasizing the importance of strict privilege management within organizations.

– **Recommendations for Strengthening Security**:
– Regularly update all operating systems and software to patch vulnerabilities.
– Store backups offline to protect against ransomware encryption.
– Implement MFA across critical services and monitor for misuse.
– Enhance monitoring and logging to provide clearer forensic visibility post-incident.
– Conduct comprehensive end-user cybersecurity training to combat social engineering tactics.

This report underscores that preemptive action and continuous improvement in security practices are vital for thwarting ransomware threats and enhancing overall organizational security frameworks. Security professionals should prioritize the identified TTPs and follow the recommendations to build a more resilient defense against evolving ransomware strategies.

a access access control access controls Act actions administrative access age AI alerts All analysis and anti API art as at ated attack attacks backup backups Bi by C CI CIA CISA Cisco Cisco Talos class CleaR co Col collaboration collaboration with government entities command command-and-control Configuration continuous continuous improvement control controls core critical critical services cross cyber cybersecurit Cybersecurity cybersecurity training D day days de defense Department of Homeland Security deployment design detection e EDR effective encryption end engagement Engineer engineering exp for framework frameworks g Gen Go government government entities gs H high Highlight Homeland Security HR http HTTPS in incident incident response indicators indicators of compromise insights Intel intelligence io IoC IoCs isolation k Key l Labor land led Li line logging low M man managed detection and response management measures MFA mini misuse Monitor monitoring N NIST no notifications o of off offline on one ons operating system operating systems organization organizational security organizations oS OSINT oss over Patch per post potential practices pre privilege privilege management pro proactive proactive measures procedures professionals Progress ps Q R ransom ransomware ransomware attack ransomware attacks ransomware threats rate RCE re recommendations report Resil response restrictions Risk Ro RoT RSA s sec security security framework security frameworks security measure security measures security practices security professionals security restrictions security solutions security tool security tools security training service services Sig SoC social social engineering social engineering tactics software solutions source specific SSE SSO STAR start strategies SUSE system systems T tactics Talos tech techniques ted text the threat threat landscape threats Time Timeliness to tool tools Tor TP training two UI under up update ups US use user V visibility vulnerabilities Ware Wi x z