FortiSense
Log inCreate account
← BlogRSS

How to Spot Early Signs of Ransomware Before Encryption (Without a SOC Team)

24/02/2026·FortiSense
[HERO] How to Spot Early Signs of Ransomware Before Encryption (Without a SOC Team)

By the time files start encrypting, you've already lost.

The real question isn't whether you can stop ransomware once it starts executing: it's whether you can see it coming early enough to do something about it.

Most small IT teams run Windows Defender (or similar endpoint protection) and hope for the best. Defender blocks known threats. It's good at that. But it doesn't give you the visibility to spot pre-ransomware behaviour: the suspicious patterns that emerge hours or days before encryption begins.

This isn't negligence. It's the default.

The gap between "blocking malware" and "seeing what's happening on your endpoints" is where ransomware thrives. And you don't need a Security Operations Centre to close it: you just need to know what to look for.

What ransomware looks like before encryption

Ransomware doesn't appear out of nowhere. There's a reconnaissance phase. A lateral movement phase. Operators test access, disable protections, and map out your network.

All of this creates signals.

Here's what you should be watching for:

1. Suspicious RDP activity

Remote Desktop Protocol is one of the most common entry points for ransomware. Attackers either brute-force credentials or buy compromised logins on the dark web.

Dashboard showing suspicious RDP login attempts from multiple locations before successful ransomware breach

Watch for:

  • Failed login attempts from unfamiliar IP addresses

  • Successful logins outside normal hours (especially on servers)

  • RDP connections from geographic locations where your organisation doesn't operate

  • Multiple failed attempts followed by a successful login (credential stuffing)

If you're seeing unexpected RDP activity on a server at 2 AM, that's not your team working late.

2. Unusual execution paths

Ransomware often runs from unusual locations: temporary directories, user download folders, or hidden system paths. It doesn't launch from C:\Program Files like legitimate software.

Look for processes executing from:

  • %TEMP% or %APPDATA% folders

  • User Downloads or Desktop folders

  • Newly created directories in system root

  • Suspicious script interpreters (PowerShell, WScript) running with unusual arguments

Modern ransomware also uses living-off-the-land techniques: abusing legitimate Windows tools like PsExec, WMI, or Cobalt Strike to avoid detection. These tools aren't malicious on their own, but when they appear on endpoints that never used them before, it's worth investigating.

3. Resource spikes (CPU and network)

Encryption is computationally expensive. So is exfiltrating data before locking it.

Before ransomware encrypts files, you'll often see:

  • Sudden CPU or disk usage spikes from unfamiliar processes

  • High network traffic when no one is actively working

  • Unusual outbound connections to unfamiliar IP addresses or domains

  • Memory usage creeping up without a clear cause

If a server that normally sits at 15% CPU suddenly jumps to 80% overnight, and the process responsible isn't familiar, investigate immediately.

Monitoring dashboard displaying CPU and network usage spikes indicating early ransomware activity

4. Changes to security tooling

Attackers know Defender and antivirus tools will flag them eventually. So they often try to disable or tamper with protections before deploying ransomware.

Watch for:

  • Windows Defender suddenly turning off (or signature updates failing)

  • Security software being uninstalled or stopped

  • Event logs being cleared regularly or unexpectedly

  • Firewall rules being modified without authorisation

If your antivirus stops updating, that's not a licence renewal issue: it's a red flag.

5. Unexpected admin tools appearing

Ransomware operators often install Remote Monitoring and Management (RMM) tools to maintain persistent access. These tools are legitimate: MSPs use them daily: but when they appear on endpoints without your approval, it's a problem.

Be suspicious of:

  • AnyDesk, TeamViewer, or ScreenConnect installed without IT approval

  • PsExec or other SysInternals tools on endpoints that never needed them

  • Network scanning utilities (Nmap, Advanced IP Scanner)

  • Credential dumping tools (Mimikatz, LaZagne)

If you didn't install it, and your team didn't request it, find out why it's there.

The visibility gap

Here's the challenge: most endpoint protection tools don't surface this information in a way that's useful to a solo IT generalist.

Defender blocks malware. It doesn't alert you when RDP fails five times then succeeds. It doesn't flag processes running from unusual paths unless they match a known signature. It doesn't tell you a server's CPU spiked at 3 AM.

This leaves you flying blind between "malware blocked" and "ransomware encrypting files."

What FortiSense does differently

Rather than asking "Is this file malicious?", FortiSense asks: "Is this behaviour suspicious?"

It monitors execution paths, resource usage, network connections, and login activity across your endpoints: then surfaces explainable alerts when something doesn't look right.

Endpoint monitoring system showing real-time security alerts across servers and workstations

For example:

  • A process launches from %TEMP% on a server that normally runs nothing but scheduled tasks → Alert

  • RDP login at 2 AM from an IP address you've never seen before → Alert

  • CPU usage spikes to 90% on a workstation that's usually idle overnight → Alert

  • Windows Defender signature updates fail for three consecutive days → Alert

The alerts aren't cryptic threat scores. They're plain-English explanations of what happened, why it's suspicious, and what you should check next.

This is visibility without requiring a SOC team to interpret it.

Practical steps you can take today

Even without FortiSense, you can start building baseline awareness:

Enable basic logging:

  • Turn on RDP logging in Event Viewer (Event ID 4624, 4625)

  • Enable PowerShell script block logging

  • Monitor Windows Defender's Protection History regularly

Establish what "normal" looks like:

  • Document which servers should have RDP enabled

  • Note typical CPU and network usage during off-hours

  • List authorised admin tools and remote access software

Set up simple alerts:

  • Use Task Scheduler or PowerShell scripts to email you when RDP fails repeatedly

  • Monitor for processes launching from %TEMP% or Downloads folders

  • Check weekly whether Defender signatures are updating

Review endpoint activity weekly:

  • Scan login history for unfamiliar IPs

  • Check installed software for unexpected tools

  • Look for processes you don't recognise

This won't give you real-time detection, but it's better than discovering ransomware only when files stop opening.

Closing thoughts

You don't need a massive security budget or a 24/7 SOC to spot ransomware before it encrypts your files.

You need visibility into the patterns that precede encryption: and the ability to investigate them before it's too late.

Defender has a place. It blocks known threats. But it doesn't tell you when something suspicious is happening that doesn't match a signature yet.

FortiSense fills that gap. It monitors endpoint behaviour, surfaces early warning signals, and explains what you're seeing in plain English: so you can act before ransomware gets to the encryption phase.

If you're curious, you can try FortiSense free for 14 days. No SOC required. No commitment. Just visibility.

Want early access?

Join Founders Access for beta features and direct support during development.

Learn more →