How to Prevent Ransomware: 5 Common Behaviors to Hunt

Cyborg Security
4 min readJun 2, 2022

By Josh Campbell at Cyborg Security

Ransomware continues to plague organizations and governments worldwide. In fact, in just the last few weeks, several major federal, state and local governments have been impacted by various ransomware operators. There are also reports of defense contractors being hit hard as well. This is in addition to reports that ransomware attacks against hospitals and health care providers increased 94% last year alone. All of this has left CISOs and other security professionals asking: “how to prevent ransomware”? While there is no silver bullet on how to prevent ransomware, we have put together 5 of the most common behaviors we have seen ransomware operators employ, to enable effective threat hunting.

Before We Begin

Before we go over our ransomware behaviors, I wanted to let you know that all of the ransomware behaviors you’re going to see below are available for FREE as hunt packages in our HUNTER threat hunting content platform! If you would like the query, runbook, and so much more, go to click sign up and use promocode “RANSOMWARESUCKS” for your free community edition account!

How to Prevent Ransomware — Behavior #1

Excessive Windows Discovery and Execution Processes — Potential Malware Installation

When ransomware gangs compromise a system, they often employ the use of binaries native to Windows systems (Living off the Land Binaries) to investigate the system and network that they infiltrated, gain credentials, or establish persistence without raising much suspicion. This includes gathering information on the host and domain they landed on or using tools such as `schtasks` as a means of maintaining access to the system. The reason they often utilize binaries native to Windows to accomplish this is due to them appearing less conspicuous and more legitimate in comparison to custom tools, in addition to anti-virus and other endpoint protection not alerting on them.

How to Prevent Ransomware — Behavior #2

Excessive File Write or Modifications With Common Ransomware Note Extensions

Ransomware notes are generally dropped in common paths, including a user’s desktop, so they are more visible. These notes may use image files, .txt files and/or .doc files to act as the vehicle for communication. Attackers may also leave these ransomware notes in every folder or directory they choose to encrypt. This threat focuses on these notes being dropped excessively, which potentially is indicative of ransomware activity.

How to Prevent Ransomware — Behavior #3

Excessive Microsoft Windows Services Stopped

Several ransomware families use this technique to stop services once sufficient privileges are obtained, often related to the security or the health of the compromised system. Analysts can look for an excessive number of services being stopped/disabled. Even if the attempts fail, it can be indicative of malware or malicious activity on the system.

For this hunt we encourage security teams to focus on actors attempting to stop multiple services utilizing ‘net.exe’ or ‘sc.exe,’ potentially rendering a system more susceptible for further attack.

How to Prevent Ransomware — Behavior #4

Windows sc Used to Disable Services — Potential Ransomware

Many ransomware payloads or adversaries utilize this technique to disable AV, logging, EDR, and other health-related services once sufficient privileges are obtained. Analysts can look for an excessive number of services being disabled, even if the attempts fail, as it can be indicative of malicious activity on the system. Some malware families or adversaries will also search for specific AV services that are running on the system, instead of relying on lists, and in this case, it may be noted that only a few services are disabled.

How to Prevent Ransomware — Behavior #5

Shadow Copies Deletion Using Operating Systems Utilities

Volume Shadow Copy Service is a framework provided in Microsoft Windows operating systems to perform volume backups or for creating consistent, point-in-time copies of data (known as shadow copies). Due to the features that Volume Shadow Copies provide, such as the ability to roll back to a specific point-in-time copy of an NTFS volume, the copies are often targeted by malware. Nearly every Ransomware variant ensures destruction of Volume Shadow Copy (VSC) backups, so that the infected user cannot easily restore their encrypted files. Similarly, the Volume Shadow Copy (VSC) backups have also been observe being targeted by Wiper malware variants (such as the “Olympic Destroyer” malware, which targeted the 2018 Winter Olympics in PyeongChang, South Korea), as well as Loader malware variants (such as the H1N1 Trojan Downloader).


While ransomware continues to be the bane of many companies and governments worldwide, proactive hunting can help identify these behaviors before the adversary has a chance to carry out their objective and help CISOs answer the burning question of “how to prevent ransomware.”



Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.