Our threat research team has reviewed many ransomware campaigns across financial services, healthcare, and critical infrastructure. The finding that changed our detection philosophy: the time between initial access and the first encrypted file can be just a handful of seconds. Signature-based detection is structurally incapable of closing that gap.
The anatomy of a modern ransomware attack
Modern ransomware operators have industrialised their workflows. They use legitimate system tools (LOLBins), encrypt in memory before writing to disk, and deploy multi-threaded encryption engines that can saturate a large network mount in well under a minute. By the time a hash-based detection fires, the damage is done.
What attackers cannot hide, however, is behaviour. Regardless of the payload variant, ransomware must enumerate file systems, establish or re-use a key exchange, and perform I/O operations at abnormal rates. These signals are detectable — if you know where to look.
The short-window problem
In our sample, the majority of ransomware samples began bulk file I/O within a single-digit number of seconds of initial execution. Strains with a pre-loaded kernel driver reduced this further. Replace these figures with your own measurements before publishing.
We break the kill chain into four measurable phases: (1) Discovery — process tree maps drives and enumerates directory structures. (2) Key negotiation — a symmetric key is either generated locally or retrieved from a C2 server. (3) Staging — a memory-resident encryption engine is loaded. (4) Execution — files are encrypted sequentially or via worker threads.
Phases 1–3 are where behavioural detection has leverage. By the time Phase 4 begins, intervention must be near-instant or it's too late.
Behavioural signals that matter
- File entropy spike: legitimate applications writing to disk produce low-entropy output. Encrypted data is near-maximum entropy (≥7.8 bits/byte). A process writing many high-entropy files in a brief burst is anomalous.
- Shadow copy deletion: a large share of ransomware strains delete VSS snapshots via vssadmin.exe or WMI. This is now a near-deterministic pre-cursor.
- Abnormal handle acquisition rate: enumerating thousands of file handles in a burst is measurable at the kernel level without needing file content inspection.
- Canary file triggering: placing known-content files at the root of every drive and monitoring for unexpected modifications provides a zero-false-positive tripwire.
- Process hollowing and injection into trusted processes: most modern strains inject into common system processes. Tracking parent–child process relationships and memory region permissions detects this.
How ShieldOps implements pre-encryption detection
Our EDR kernel driver instruments file system minifilter callbacks and exposes a streaming telemetry pipeline to our analysis engine. We compute entropy on write buffers before they reach the disk cache, which gives us detection before persistence.
[RULE] ransomware.pre_encrypt.v3 condition: process.file_writes_per_sec > 80 AND file.write_entropy_avg > 7.6 AND process.parent_unsigned = true AND NOT process.path IN whitelist.system_writers action: ISOLATE_PROCESS, SNAPSHOT_MEMORY, ALERT_CRITICAL
What this means for your SOC
Behavioural detection requires tuning. A rule that fires on every video encoder or backup agent is useless. We recommend a 30-day baselining period per endpoint class before enabling automated isolation. Start with alert-only mode, review false positives, and build your whitelist incrementally.
Enable canary files today — it requires no tuning and adds zero false positives. Place a 0-byte file named _shieldops_canary.txt at the root of every mounted volume. Any modification triggers an immediate high-confidence alert.
Ransomware is not a malware problem — it is a response time problem. The organisations that recover quickly are those whose detection-to-isolation pipeline is measured in seconds, not minutes. Behavioural analysis is the only architectural approach that achieves this reliably.