Acting quickly is essential to stopping ransomware attacks before they can cause serious harm, according to insights from Cisco Talos. Organizations responding to detection system alerts within two hours, or engaging Talos IR (Incident Response) within one to two days, were able to prevent ransomware from being deployed in one third of the analyzed cases. Early warnings from external partners, such as national cybersecurity agencies, also played a critical role in helping organizations disrupt attacks at an early stage.
These insights are drawn from an in-depth analysis of so-called pre-ransomware incidents, based on over two and a half years of incident response data collected by Talos IR between January 2023 and June 2025.
Early Indicators of Ransomware
Pre-ransomware incidents occur when attackers have infiltrated a system—gaining elevated privileges, exploiting remote access, and stealing credentials—but have not yet started encryption. Talos regularly sees patterns like remote access tool use, credential harvesting, and network reconnaissance at this stage. By identifying these signals separately, organizations can respond faster and strengthen defenses.
Effective Security Measures
Robust security solutions and well-defined access restrictions often make a significant difference. In several cases, attacks were stopped because security software not only generated alerts but also automatically blocked or quarantined suspicious files. Carefully applied access rights and comprehensive logging also helped avoid malicious actors access critical systems and allowed for effective forensic investigations. However, when responses were delayed, attackers had a higher chance to encrypt systems or delete backups.
Talos recommends keeping systems and software up to date, storing backups offline, implementing multi-factor authentication (MFA) widely, and training employees to recognise phishing and other attacks.
Nabeel Rajab, Technical Solutions Architect at Cisco South Africa says:
“South African organisations are high-value ransomware targets, so while speed is a key security perimeter, true protection will come from addressing basic security gaps, implementing proactive defenses, and leveraging collaborations with trusted partners.”
Read the full analysis here: https://blog.talosintelligence.com/stopping-ransomware-before-it-starts/
