Complete Ransomware Defense Playbook: Prevention, Detection, and Recovery

by
Ransomware protection and defense

Ransomware attacks cost businesses over $20 billion in 2023. The average downtime after a ransomware attack is 22 days. And paying the ransom only guarantees data decryption about 65% of the time — in many cases, encrypted data is also published publicly despite payment. This guide is your complete ransomware defense playbook: prevention, detection, containment, and recovery.

How Modern Ransomware Works (Step by Step)

Modern ransomware families like LockBit 3.0, ALPHV/BlackCat, and Royal follow a well-defined kill chain. Understanding each phase helps you identify where to place defensive controls.

Phase 1: Initial Access

The most common entry points in 2024:

  • Phishing emails with malicious attachments (37% of cases)
  • Exposed RDP with weak/default credentials (23%)
  • Unpatched VPN vulnerabilities — Fortinet, Pulse Secure, Citrix (19%)
  • Valid credentials from dark web (15%)
  • Supply chain compromise (6%)

Phase 2: Persistence and Escalation

# Common persistence mechanisms used by ransomware:
# Registry run key
reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun" /v "SystemUpdate" /t REG_SZ /d "C:ProgramDatamalware.exe"

# Scheduled task (appears legitimate)
schtasks /create /tn "GoogleUpdate" /tr "C:ProgramDataevil.exe" /sc daily /st 09:00 /ru System

# WMI event subscription (invisible to most tools)
# Detected by Sysmon Event IDs 19, 20, 21

# Service installation
sc create "WindowsTelemetry" binPath= "C:ProgramDatamalware.exe" start= auto
sc start WindowsTelemetry

Phase 3: Lateral Movement and Data Exfiltration

# Ransomware groups map your network before encrypting
# They use tools like:
# BloodHound (AD attack path mapping)
# Cobalt Strike (commercial C2)
# Mimikatz (credential harvesting)
# AnyDesk/TeamViewer (remote access disguised as legit)

# Data exfiltration before encryption (double extortion)
# Common exfil tools: Rclone (syncs to attacker's cloud storage), MEGASync, WinSCP

# Detect Rclone (common ransomware exfil tool)
# Sysmon Event ID 1: Process create
CommandLine="*rclone*" AND (CommandLine="*copy*" OR CommandLine="*sync*")

# Detect large outbound data transfers
netstat -ano | findstr ESTABLISHED | findstr ":443"
# Correlate with high bandwidth on firewall logs

Phase 4: Encryption

Modern ransomware uses hybrid encryption: RSA-2048 or higher for key exchange, AES-256 for file encryption. Each victim gets a unique keypair — without the private key, decryption is computationally impossible.

# Ransomware encryption speed is staggering:
# LockBit 3.0 claims to encrypt 100GB in under 4 minutes
# ALPHV/BlackCat uses Rust for ultra-fast multi-threaded encryption
# They partially encrypt large files (faster, still renders unusable)

# WMIC command used to delete Volume Shadow Copies (backups):
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no

# This single command is a critical ransomware indicator:
# Alert on ANY execution of vssadmin delete!

Prevention Controls: Build Layers of Defense

1. Email Security

# Microsoft 365: Configure Safe Attachments policy
# Security Center > Email & Collaboration > Policies > Safe Attachments
# Action: Block - Block current and future messages with detected malware
# Enable: Safe Attachments for SharePoint, OneDrive, Teams

# Block high-risk attachment types at gateway level
# Add to Exchange transport rule - block these extensions:
$blocked = @('.exe','.bat','.cmd','.vbs','.js','.jse','.wsf','.wsh','.ps1','.psm1','.psd1','.reg','.msi','.msp','.hta','.scr','.pif','.lnk','.iso','.img')

# Google Workspace: Block file types in Gmail settings
# Admin Console > Apps > Gmail > Safety > Attachments

2. Disable RDP or Protect It Properly

# Disable RDP if not needed
Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name "fDenyTSConnections" -Value 1

# If RDP is needed:
# 1. Move to non-standard port (obscurity helps against mass scanners)
Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name PortNumber -Value 33890

# 2. Require NLA (Network Level Authentication)
Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name "UserAuthentication" -Value 1

# 3. Restrict to VPN users only (firewall rule)
New-NetFirewallRule -DisplayName "Block RDP Public" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Block -Profile Public

# 4. Enable Account Lockout
net accounts /lockoutthreshold:5 /lockoutduration:30 /lockoutwindow:30

3. Backup Strategy (3-2-1-1-0 Rule)

# 3 copies of data
# 2 different storage media types (disk + tape or cloud)
# 1 offsite copy
# 1 offline/air-gapped copy (ransomware cannot reach it)
# 0 errors — verify backups with automated restore tests

# Linux: Automated backup with rsync + rotation
#!/bin/bash
BACKUP_DEST="/mnt/backup_drive"
SOURCE="/home /var/www /etc"
DATE=$(date +%Y-%m-%d)

rsync -avz --delete $SOURCE $BACKUP_DEST/daily/$DATE/
find $BACKUP_DEST/daily/ -maxdepth 1 -mtime +7 -exec rm -rf {} ;  # Keep 7 days

# Windows: PowerShell backup to offline drive
$source = "C:CriticalData"
$dest = "\offline-nasackups$((Get-Date).ToString('yyyy-MM-dd'))"
robocopy $source $dest /E /Z /LOG:C:ackup.log

# Test backup integrity weekly
# Schedule: every Sunday, restore a random file and verify hash

Detection Rules for Ransomware Indicators

# Splunk: Critical ransomware indicators

# 1. Volume Shadow Copy deletion (highest severity)
index=windows EventCode=4688
| search (CommandLine="*vssadmin*delete*" OR CommandLine="*wmic*shadowcopy*delete*" OR CommandLine="*bcdedit*recoveryenabled*no*")
| eval severity="CRITICAL"
| table _time, host, user, CommandLine, severity

# 2. Mass file renaming (encryption indicator)
index=windows EventCode=4663 Object_Type=File
| bucket _time span=1m
| stats count by host _time
| where count > 500

# 3. Shadow copy deletion via WMI
index=windows EventCode=4662
| search "Win32_ShadowCopy"
| table _time, host, user

# 4. Unusual process accessing many files rapidly
index=windows source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| bucket _time span=30s
| stats count by host Image _time
| where count > 200 AND NOT Image IN ("C:\Windows\System32\*","C:\Program Files\*")

# Wazuh rule for VSS deletion (add to local_rules.xml):
# rule id 100300, level 15 - vssadmin delete shadows detected

Incident Response: Ransomware Has Hit — Now What?

# IMMEDIATE (first 15 minutes):
# 1. Do NOT reboot or shut down systems (memory evidence is lost)
# 2. Isolate affected systems (disable NIC or VLAN-quarantine)
# 3. Preserve memory dump BEFORE isolating
winpmem_mini_x64.exe -o C:evidencememory.dmp

# Isolate via PowerShell (disable all NICs)
Get-NetAdapter | Disable-NetAdapter -Confirm:$false

# Or Cisco switch port shutdown:
interface FastEthernet0/1
  shutdown

# 4. Identify patient zero
# Check: who ran vssadmin? what process created the ransom note?
# Sysmon logs, Windows Event logs, EDR telemetry

# 5. Determine blast radius
# How many systems are encrypted?
# Were backups affected?
# Was data exfiltrated? (Check firewall outbound bandwidth)

# 15-60 MINUTES:
# 6. Contact your incident response retainer (if you have one)
# 7. Contact law enforcement (FBI IC3.gov, CISA)
# 8. Do NOT pay ransom without legal consultation
# 9. Check NoMoreRansom.org for free decryptors
#    Many ransomware families have been cracked:
#    - Conti (partially), REvil (by FBI), Dharma, GandCrab, Maze

# 60+ MINUTES:
# 10. Begin recovery from clean offline backups
# 11. Rebuild from scratch if backups are suspect
# 12. Change ALL credentials before bringing systems online

Ransomware-as-a-Service (RaaS) Operations

The modern ransomware ecosystem operates like a legitimate software business. LockBit had a bug bounty program. ALPHV/BlackCat had a professional customer service portal. RaaS groups recruit affiliates, provide support, and handle “negotiations.” Understanding this ecosystem helps defenders anticipate behavior:

  • LockBit 3.0: Fastest encryptor, stolen from Conti’s code, shut down by international law enforcement in 2024 but rebuilt
  • ALPHV/BlackCat: Written in Rust (unusually sophisticated), supports Windows, Linux, and VMware ESXi targets
  • Royal/BlackSuit: Targets healthcare and critical infrastructure, uses partial encryption for speed
  • Cl0p: Specializes in mass exploitation of file transfer software (MOVEit, GoAnywhere)

The single most impactful ransomware defense is offline, tested backups combined with MFA everywhere. Organizations with tested, offline backups recover from ransomware in days instead of weeks — and never need to pay a ransom. Everything else in this guide makes it harder for ransomware to succeed, but robust backups make it irrelevant whether it does.