Marius Sandbu Windows Ransomware Detection And Protection: Work

| Phase | Observable (Windows Event Log) | Detection Logic | |-------|-------------------------------|------------------| | Recon | 5145 (network share enumeration) + 4624 (anomalous logon from non-corporate IP) | Time-based anomaly: user accessing 50+ shares in 5 minutes | | Lateral movement | 5140 (SMB share accessed) followed by 4688 with schtasks.exe /create | Remote task creation immediately after share mount | | Ransomware execution | 4688 with vssadmin.exe delete shadows + bcdedit /set | Volume shadow copy deletion + boot config modification | | Encryption | 4656 (many DELETE or ENCRYPTION file handles) + 5145 (share write spike) | File handle activity > 500/sec from single process |

Marius Sandbu, a prominent voice in Windows security and Azure Arc, consistently emphasizes a hard truth: True protection requires a defense-in-depth loop— Prevent → Detect → Respond → Recover. marius sandbu windows ransomware detection and protection

Don’t hunt for *.encrypted —hunt for deleted shadow copies + high file rename activity within 60 seconds. KQL (Kusto) example for Microsoft Sentinel: Event | where EventID == 4688 | where Process contains "vssadmin.exe" and CommandLine contains "delete shadows" | join kind=inner ( Event | where EventID == 4656 | where AccessMask == "0x0012019f" // FILE_WRITE_DATA | FILE_APPEND_DATA | summarize FileOps = count() by Computer, ProcessId, bin(TimeGenerated, 1m) where FileOps > 300 ) on Computer, ProcessId | project TimeGenerated, Computer, User, ParentProcess, CommandLine 4. Recovery: The Immutable Escape Hatch Detection means nothing if backups can be encrypted or deleted. | Phase | Observable (Windows Event Log) |

It is structured as an in-depth technical guide or blog post, written in the style of an IT security architect. Ransomware isn't getting smarter—it’s getting quieter. Modern human-operated ransomware (e.g., LockBit, BlackCat, Royal) doesn’t rely on noisy macros or sprawling worms. It leverages living-off-the-land (LotL) binaries, credential theft, and delayed execution. Recovery: The Immutable Escape Hatch Detection means nothing

Subscribe to TechSmith’s Newsletter ES

Join over 200,000 people who get actionable tips and expert advice every month in the TechSmith Newsletter. ES

Subscribe ES