title: Ransomware Pre-Deployment Staging Indicators (THREAT-Ransomware-StagingIndicators)
id: df00tech-threat-ransomware-stagingindicators
status: experimental
description: "The hours before ransomware deployment follow a repeatable pattern regardless of group: network share enumeration, credential dumping, detection tool impairment, and staging of the ransomware binary in accessible locations. NCSC UK 2025 threat report identified Akira, Black Basta, and Play as the most active ransomware groups targeting UK SMBs. The staging sequence typically occurs within 1-48 hours before encryption begins, offering a detection opportunity. Key indicators: (1) net use or net share enumeration across the network; (2) vssadmin.exe or wmic delete shadowstorage (shadow copy deletion — the final indicator before encryption); (3) remote execution tool setup (PsExec, PAExec, WMI, WinRM) preparing for domain-wide payload deployment; (4) large file transfers or staging directories created; (5) AV/EDR impairment attempts. This detection targets the staging window before encryption — detection here prevents the actual ransomware event."
references:
  - https://attack.mitre.org/techniques/THREAT-Ransomware-StagingIndicators/
  - https://df00tech.com/detections/THREAT-Ransomware-StagingIndicators
author: df00tech
date: 2026/04/24
tags:
  - attack.threat-ransomware-stagingindicators
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IT backup tools (Veeam, Acronis, Backup Exec) that use vssadmin to manage shadow copies"
  - System administrators using net view/net share for legitimate inventory
  - PsExec used by IT staff for remote administration or software deployment during maintenance windows
  - "Endpoint management platforms (SCCM, Qualys, Tanium) that invoke WMI remote execution for patch deployment"
  - Security testing by authorised penetration testers (shadow copy deletion should be excluded from scope)
level: critical