How to detect ransomware

Ransomware detection is more critical than ever. In 2024, attacks hit a record high with 5,263 major ransomware incidents reported worldwide, and the threat continues to accelerate. Attackers are now weaponizing AI to engineer faster, stealthier ransomware variants capable of evading traditional defenses, disguising malicious activity as normal behavior, and encrypting systems in minutes.

Detecting ransomware early is the difference between rapid containment and catastrophic business disruption.  

In this blog, we’ll explore how to detect ransomware across every stage of an attack: pre-execution, during active encryption, and post-compromise. You’ll learn the early warning signs to watch for, the tools and techniques that deliver the strongest visibility, and the best practices managed service providers (MSPs) and IT teams can implement to stay ahead of AI-driven threats.  

Key takeaways

• Ransomware surged in 2024 with 5,263 major incidents worldwide, and attackers now use AI-driven variants that encrypt files in minutes.
• Early detection of ransomware depends on monitoring file system anomalies, suspicious process execution, and unusual network traffic.
• Automated detection rules, such as alerts for abnormal file modifications, PowerShell misuse, or outbound data transfers, help MSPs and IT teams respond faster.
• ConnectWise MDR and SIEM deliver centralized monitoring, SOC expertise, and AI/ML-driven analytics to detect ransomware at every attack stage.

Ransomware detection vs. prevention

Ransomware prevention and detection serve different but equally critical roles in a defense-in-depth strategy. Prevention focuses on reducing the attack surface by processes such as hardening systems, applying patches, maintaining offline backups, and enforcing security awareness training. While these measures block many commodity threats, they can’t guarantee safety from today’s ransomware-as-a-service (RaaS) ecosystems, where affiliates deploy constantly mutating strains that bypass traditional controls.

The consequences of relying on prevention alone are severe. For example, a 158-year-old UK firm collapsed after a ransomware attack that was triggered by a single weak password, leading to the loss of 700 jobs. 

This is where detection becomes indispensable. By identifying ransomware behaviors at different stages of the attack lifecycle, before, during, and after encryption, MSPs and IT teams gain the early warning needed to contain the spread, preserve forensic evidence, and initiate recovery before complete compromise.

Layers of detection based on attack phase

Pre-execution detection

• Focuses on identifying precursors to ransomware execution.
• Techniques include monitoring for unauthorized privilege escalation attempts, abnormal PowerShell or WMI activity, unsigned binaries executing from temp directories, and access to decoy “canary” files placed in critical paths.
• By halting suspicious processes at this stage, defenders prevent payload delivery before encryption starts.

In-progress detection (active encryption)

• Detects the telltale signs of ransomware in motion.
• Indicators include high-velocity file modifications across network shares, abnormally high CPU and disk I/O usage, unexpected changes to volume shadow copies, and blocked access to backup agents.
• These signals demand immediate containment, such as automatic host isolation, that can stop network data encryption midstream.

Post-execution detection (spread and impact)

• Even after encryption begins, detection is essential to limit lateral movement and further data impact.
• Triggers include mass service or registry changes, sudden deactivation of endpoint protection, log tampering or deletion, and credential harvesting tools running in memory.

At this stage, detection enables SOC teams to contain the blast radius, protect adjacent systems, and start recovery workflows.

Early warning signs of a ransomware infection

Spotting ransomware early depends on recognizing patterns across endpoints, networks, and users. Key indicators that often precede or accompany an attack include:

• Unusual file activity: Mass file renaming, unexpected encryption extensions (e.g., *.locked, .crypt), or deleted volume shadow copies.
• System resource spikes: Sudden CPU, memory, or disk I/O surges from uncommon processes; lsass.exe access by non-system binaries.
• Anomalous network behavior: Connections to suspicious IPs/domains, DNS tunneling patterns, or large data transfers outside business hours.
• Security control disruption: Endpoint protection disabled, event logs cleared, monitoring agents removed.
• User-visible symptoms: Ransom notes dropped, locked screens, inaccessible files.

Next: convert these signs into automated detections with the rules below.

MSPs and IT teams that build automated detection rules around these behaviors, especially file system anomalies, security tool tampering, and network exfiltration, gain a crucial window to contain ransomware before full impact.

12 automated detection rules every MSP and IT team needs

Automating ransomware detection rules gives MSPs and IT teams faster visibility into suspicious activity without overwhelming analysts with noise. These 12 rules cover the ransomware attack chain and can be implemented in ConnectWise SIEM™ or validated through ConnectWise MDR for accuracy.

Initial access

1. Suspicious login activity: Trigger an alert for repeated failed logins, RDP access outside business hours, or successful logins from foreign IP addresses.

2. Phishing payload execution: Flag Office applications (Word, Excel, Outlook) spawning PowerShell, cmd.exe, or wscript.exe processes.

3. Malicious script execution: Detect PowerShell commands containing base64-encoded strings, which are commonly used to obfuscate ransomware loaders.

Persistence and privilege escalation

4. Unauthorized LSASS access: Alert when non-system processes attempt to read LSASS memory, a sign of credential dumping.

5. New scheduled task or service creation: Flag when unexpected scheduled tasks or autorun services are created.

6. Security tool tampering: Alert when endpoint protection is disabled, event logs are cleared, or registry keys tied to startup are modified.

Execution and active encryption

7. Mass file modification: Detect when more than 500 files are modified in 60 seconds or when unusual extensions (*.locked, .crypt) appear.

8. Shadow copy deletion: Flag execution of vssadmin delete shadows or equivalent commands targeting system restore points.

9. Abnormal CPU or disk spikes: Alert on unexplained surges in resource usage by non-standard processes, signaling encryption in progress.

Lateral movement and exfiltration

10. SMB and LDAP enumeration: Detect rapid SMB session creation or LDAP queries that indicate reconnaissance for lateral spread.

11. Suspicious Kerberos ticket activity: Alert when golden ticket–style anomalies or abnormal Kerberos requests occur.

12. Unusual outbound traffic: Flag large outbound data transfers, DNS tunneling, or encrypted traffic to non-whitelisted IPs, especially outside business hours.

Ransomware detection tools

No single tool catches every attack. A layered detection strategy ensures coverage across endpoints, networks, and user behavior. It includes tools such as:

• Endpoint detection and response (EDR) or managed detection and response (MDR): Real-time monitoring of file changes, process execution, and suspicious behaviors at the device level.
• SIEM and log analysis: Correlates data across environments to flag anomalies, from failed login attempts to privilege escalations.
• Network monitoring and intrusion detection (IDS/IPS): Identifies ransomware traffic patterns, such as command-and-control communication or rapid SMB/LDAP queries.
• Deception technology: Honeypots, traps, and canary files that immediately trigger alerts if touched by ransomware.
• Threat intelligence feeds: Constant updates on known ransomware signatures, tactics, and indicators of compromise (IOCs).

For MSPs, combining these tools under a centralized solution such as ConnectWise MDR and ConnectWise SIEM delivers unified visibility and actionable intelligence. Integrated detection within the ConnectWise Security Dashboard and the ConnectWise Asio® platform ensures ransomware signals from endpoints, networks, and logs are correlated in one place, reducing attacker dwell time and improving response coordination across teams.

How MSPs and IT teams can detect ransomware with ConnectWise MDR and SIEM

Ransomware moves fast, often encrypting thousands of files in minutes. To stay ahead, MSPs and IT teams need disciplined detection practices backed by automation and advanced analytics. With ConnectWise MDR and ConnectWise SIEM, automated detection and response becomes a structured, technical, and protective workflow across every stage of the attack chain.

Implement continuous monitoring and alerting

• Why it matters: Ransomware attacks rarely happen in a single step; they generate a trail of indicators. Continuous monitoring across endpoints, servers, firewalls, and cloud apps ensures nothing slips through the cracks.
• How ConnectWise helps: MDR provides 24/7 SOC monitoring of endpoints, while SIEM ingests logs and telemetry in real time, correlating events such as failed logins or suspicious script execution into actionable alerts.

Baseline normal behavior to detect anomalies

• Why it matters: Signature-based defenses can’t keep pace with AI-driven ransomware strains. Establishing baselines for normal file access, authentication patterns, and bandwidth usage allows abnormal behaviors to stand out.
• How ConnectWise helps: ConnectWise analytics flag anomalies such as spikes in failed logins and data transfers outside of business hours, reducing false positives and surfacing high-fidelity threats.

Automate detection with rules and AI/ML analytics

• Why it matters: Manual log review is too slow when ransomware can lock systems in minutes. Automated rules combined with ML-driven analytics accelerate detection.
• How ConnectWise helps:
  • File activity rules: Alert if more than X files are modified per second or if new encryption extensions appear (*.locked, .crypt).
  • Process rules: Flag unauthorized PowerShell use, encoded command execution, or suspicious parent-child process chains (e.g., Office spawning cmd.exe).
  • Network rules: Alert on outbound traffic to non-whitelisted IPs, DNS tunneling, or anomalous Kerberos ticket requests.
  • Security tampering rules: Trigger alerts if endpoint protection is disabled, logs are wiped, or registry keys tied to startup behavior change.
  • MDR SOC analysts: Validate these alerts, filtering noise and escalating confirmed ransomware activity for faster containment.

Detect active encryption and lateral movement

• Why it matters: Once encryption begins, every minute counts. Detecting midstream encryption or lateral spread can mean the difference between isolating one endpoint or losing an entire network.
• How ConnectWise helps:
  • SIEM correlation rules identify high-velocity file changes, shadow copy deletions, or service disruptions.
  • Network analytics detect SMB enumeration, port scanning, and unusual traffic inside the LAN.
  • MDR and SIEM automation can isolate compromised endpoints and stop lateral movement before it reaches additional systems

Regularly test detection coverage with simulations

• Why it matters: You can’t improve what you don’t test. Running ransomware simulations exposes detection gaps and validates that automated rules are firing correctly.
• How ConnectWise helps: Detection logic can be validated against controlled attack simulations, ensuring SOC workflows and automated responses trigger as expected.

Integrate detection with automated response and recovery

• Why it matters: Detection without action wastes critical time. Automated workflows accelerate containment and recovery while reducing manual intervention.
• How ConnectWise helps: Through the ConnectWise data protection solutions, confirmed ransomware activity can automatically trigger:
  • Endpoint isolation.
  • AD account lockouts for compromised users.
  • Recovery to restore from immutable backups.

Conclusion

Ransomware will continue to evolve, with AI-driven variants making detection and response even more challenging for MSPs and IT teams. The difference between a contained incident and a full-scale business outage comes down to visibility, speed, and automation. With ConnectWise MDR and SIEM, ransomware detection and response become structured and actionable. Alerts are validated by SOC experts, false positives are filtered, and automated workflows enable rapid containment.

Want to see how ConnectWise helps detect and stop ransomware in real time? Register for a live demo of ConnectWise MDR and ConnectWise SIEM or speak to an expert today.