Acting swiftly is essential to stopping ransomware attacks before they can cause serious harm, according to new insights from Cisco Talos, which says that organisations responding to detection system alerts within two hours – or engaging Talos IR (Incident Response) within one to two days – were able to prevent ransomware from being deployed in one-third of the analysed cases.
Early warnings from external partners such as national cybersecurity agencies also played a critical role in helping organisations disrupt attacks at an early stage.
These insights are drawn from an in-depth analysis of so-called pre-ransomware incidents, based on over two and a half years of incident response data collected by Talos IR between January 2023 and June 2025.
Early indicators of ransomware
Pre-ransomware incidents occur when attackers have infiltrated a system – gaining elevated privileges, exploiting remote access, and stealing credentials – but have not yet started encryption. Talos regularly sees patterns like remote access tool use, credential harvesting, and network reconnaissance at this stage. By identifying these signals separately, organisations can respond faster and strengthen defences.
Effective security measures
Robust security solutions and well-defined access restrictions often make a significant difference. In several cases, attacks were stopped because security software not only generated alerts, but also automatically blocked or quarantined suspicious files. Carefully applied access rights and comprehensive logging also helped avoid malicious actors access critical systems and allowed for effective forensic investigations. However, when responses were delayed, attackers had a higher chance to encrypt systems or delete backups.
Talos recommends keeping systems and software up to date, storing backups offline, implementing multi-factor authentication (MFA) widely, and training employees to recognise phishing and other attacks.
“South African organisations are high-value ransomware targets, so while speed is a key security perimeter, true protection will come from addressing basic security gaps, implementing proactive defences, and leveraging collaborations with trusted partners,” says Nabeel Rajab, technical solutions architect at Cisco South Africa.