We use cookies and similar tech for analytics and marketing. See our privacy notice.

Zimbabwe • 1 min read

signs-of-ransomware-attack

Nov 06, 2025
Share on LinkedInFacebookWhatsApp

Small and mid-size teams don’t need a SOC to catch early ransomware clues. Use this fast checklist to spot trouble before encryption kicks off.

TL;DR

If two or more signals appear together, escalate immediately and isolate affected devices. Don’t reboot or wipe—preserve evidence.

Login spikesEDR disabledWeird extensionsBackup failsShare permsNew tasksServer I/O maxedUnapproved toolsBounce floodDNS anomaliesFiles won’t open

Early warning signals

1) Unusual login spikes or off-hours access

Correlated failed logins, new geographies, legacy protocols lighting up.
Quick check: review Entra/Google sign-in logs for spikes and impossible travel.

2) AV/EDR disabled or logging tampered

Attackers often kill sensors first.
Quick check: look for “tamper protection disabled” or agents offline across multiple hosts.

3) Sudden file renames & odd extensions

Mass changes with unfamiliar extensions or ransom notes in every folder.
Quick check: sample a few shares for recent bulk renames.

4) Backup jobs failing or retention altered

Immutable flags disabled, delete policies added, or off-site copy missing.
Quick check: audit last 7 days of backup results and retention changes.

5) SMB/NTFS permission chaos

“Everyone” suddenly has write; service accounts newly granted broad rights.
Quick check: diff today’s share/ACLs against last week’s baseline.

6) New scheduled tasks or startup items

Persistence that isn’t in your golden image.
Quick check: export Task Scheduler / LaunchAgents / cron entries added today.

7) File server CPU/disk pegged

High I/O with rapid small-file writes during business hours.
Quick check: confirm on the server—avoid RDP’ing into endpoints unnecessarily.

8) Unapproved tools on endpoints

psexec, rclone, 7zip in odd paths; dual-use adminware appearing suddenly.
Quick check: inventory new executables created in the last 24 hours.

9) Email flood of “delivery failures”

Could indicate credential stuffing or exfil attempts using your mailbox.
Quick check: review send/receive logs for bursts and new forwarding rules.

10) DNS anomalies

Lookups to DGA-like domains, TOR gateways, or fresh domains at volume.
Quick check: filter DNS logs for entropy spikes / newly-seen domains.

11) “Files won’t open”

Often the first human signal—treat seriously.
Quick check: verify on a copy of a sample file; avoid triggering more encryption.

What to do in the first hour

  1. Isolate suspected hosts
    VLAN/quarantine; disable Wi-Fi/Ethernet.
  2. Preserve evidence
    Don’t reboot/wipe; if trained, capture volatile data (process list, ARP, netstat).
  3. Check backup integrity
    Confirm recent restore points + immutability; lock down backup creds.
  4. Rotate credentials
    Start with privileged/service accounts; revoke stale tokens/app passwords.
  5. Communicate
    Brief leadership, assign an incident lead, activate playbook.

Preserve these artefacts

  • Endpoint: running processes, autoruns, new services/tasks, recent downloads, unusual admin tools.
  • Server: share permission diffs, file rename logs, backup/replication logs, recent admin sessions.
  • Identity: MFA disable events, password resets, sign-in risk, new app consents.
  • Network: firewall events, VPN sessions, DNS queries, proxy logs.
  • Cloud/SaaS: inbox rules, OAuth grants, audit logs for storage/mail.
When to call for help

If encryption has started, backups look compromised, or you see widespread credential abuse, escalate to an IR partner immediately.

Next steps

Need help implementing this?

We’ll align on priorities, secure your environment, and put recoveries to the test.

CybersecurityBackup & Recovery