Ransomware detection and prevention with IBM Security QRadar SIEM
IBM Security® QRadar® SIEM helps detect ransomware before it can hold your data hostage
Request a demo
Person writing on whiteboard in office
Detect and respond to ransomware

Ransomware has become one of cybercrime’s strongest business models, costing organizations billions of dollars every year. In a ransomware attack, cybercriminals steal or encrypt valuable data and then demand payment for its safe return. These attacks have evolved from a consumer-level nuisance into sophisticated malware with advanced encryption abilities, and no single industry, geography or size of business is immune.

Protecting your organization from ransomware and other types of malware requires a quick response, because with every passing second, more files are encrypted and more devices are infected—driving up both the damage and the cost. IBM Security QRadar SIEM helps you detect these threats rapidly, so you can take immediate, informed action to prevent or minimize the effects of the attack.

Learn about the risk of ransomware

Register for The Definitive Guide to Ransomware 2023

Read the 2023 Cost of a Data Breach report

Get the QRadar SIEM solution brief
The threat of ransomware

In the battle against ransomware, early detection and prevention is essential. QRadar SIEM offers intelligent security analytics that give you actionable insight against critical threats.


24% of all cyberattacks are ransomware¹


The average cost of a ransomware attack is USD 5.13 million¹


Organizations with security AI and automation identified and contained a data breach 108 days faster¹

How QRadar SIEM helps protect against ransomware

Ransomware, like most malware, progress through several phases. QRadar SIEM can spot known and unknown ransomware across these phases. Early detection can help prevent damage done in later phases. QRadar provides content extensions that include hundreds of use cases to generate alerts across these phases. Content extensions are delivered through the App Exchange and provide the ability to get the latest use cases. IBM Security® X-Force® Threat Intelligence collections are used as references in use cases to help find the latest known indicators of compromise (IOC), such as IP addresses, malware file hashes, URLs and more.

Most “known” malware and ransomware can be found in the early phases. To detect unknown ransomware, QRadar SIEM provides use cases that focus on detecting ransomware behaviors. Visibility across endpoints, application servers (on premises and cloud) and network devices (firewalls) enables QRadar SIEM Use Case Manager to detect ransomware behavior patterns that span your IT and OT infrastructure. The Use Case Manager can help you visualize if you have use cases, or rules, that span these phases by using the MITRE ATT&CK matrix.

Distribution phase (MITRE ATT&CK tactics: Initial Access)

Ransomware looks like other malware during this phase. It is using phishing techniques to lure your unsuspecting employees to click on a link or executable in an email, Honeypot, social media or text message.

Example QRadar SIEM use cases to find distribution behaviors and known ransomware:

  • Executable embedded in email
  • Email or web communication with hostile host
  • Suspicious email subject

Infection phase (MITRE ATT&CK tactics: Execution, Persistence)

This is the moment the stopwatch starts. Ransomware is now in your environment. If the ransomware used a “dropper” to avoid detection in the distribution phase, this is when the dropper calls home and downloads the "real executable” and runs it.

Example QRadar SIEM use cases to find infection behaviors:

  • Detection of malicious file or process
  • Detection of malicious IOC
  • File decode or download followed by suspicious activity

Staging phase (MITRE ATT&CK tactics: Persistence, Privilege Escalation, Defense Evasion, Credential Access)

The ransomware is scanning the machine to analyze the administrative rights it could obtain, make itself run at boot, disable recovery mode, delete shadow copies, and more.

Example QRadar SIEM use cases to find staging behaviors:

  • Attempt to delete shadow copies, backups
  • Recovery disabled in boot configuration

Reconnaissance phase (MITRE ATT&CK tactics: Discovery, Lateral Movement, Collection)

Now that ransomware owns the machine from the starting phase, it will begin a phase of reconnaissance of the network (attack paths), folders and files with predefined extensions, and others.

Example QRadar SIEM use cases to find reconaissance behaviors:

  • Attempt to delete shadow copies, backups
  • Data transfer size limits
Endpoint monitoring essentials for QRadar

Encryption phase (MITRE ATT&CK tactics: Exfiltration, Impact)

The real damage begins now. Typical actions include: create a copy of each file, encrypt the copies, place the new files at the original location. The original files might be exfiltrated and deleted from the system, which allows the attackers to extort the victim with threats of making their breach public, or even to leak stolen documents. 

Example QRadar SIEM use cases to find encryption behaviors:

  • Excessive file deletion or creation
  • Suspicious amount of files renamed or moved on the same machine (UNIX)
  • Data transfer size limits
Need help to monitor data exfiltration?

Ransom notification

Damage is done and the user receives a notification on how to pay the ransom to obtain the decryption key. At this point there is not a lot more to detect, except for the decryption instruction file creation.

Example QRadar SIEM use cases to find ransom notification behaviors:

  • Ransomware decryption instruction created

Use Cases to find ransomware are available in the the following Content Extensions found on the App Exchange (link resides outside ibm.com):

Learn more about QRadar SIEM use cases for each phase
Planning for a ransomware attack

After the initial infection phase, time is critical. The sooner you detect, the sooner you can initiate your incident response (IR) plan. The better the IR plan, the quicker it is to stop ransomware from progressing through the phases. NIST (PDF, link resides outside ibm.com) and SANS (link resides outside ibm.com) have IR guidelines that have withstood the tests of time. There are a few key aspects of any IR plan.

Backups in place. Offline backs are critical in a ransomware attack. Make sure you understand where those backups are and how to restore your systems. Include the steps on who to contact for each of your critical IT assets in your IR process.

Teams, tools and roles identified. As ransonware progresses through its various phases from initial infection into encryption, the composition of the response team changes. This usually means more people across the organization need to get involved. Often, that may include using third-party services to help or, in the case of a breach, it may mean contacting legal, external regulators and customers. Knowing who to contact and when is critical. Keeping an up-to-date contact list is important, but integrating those contact roles into your process is vital to an effective response. Paper and PDFs are adequate, but having the right tools and automation that provides the entire team access to the ransomware response process, actions and historical documentation is key.

A well-defined process and automation. An IR process can contain many tasks and can include multiple decision points. It is a good practice to align your process with phases outlined by NIST and SANS. For example you can organize your IR process by the following phases:

  1. Discover and Identification
  2. Enrichment and Validation
  3. Containment and Remediation
  4. Recovery and Communication

QRadar SOAR provides playbooks to define your IR process and automate the many actions an analyst may need to execute to progress through the phases quickly. QRadar SOAR breach response can create the necessary regulator reporting tasks based on PI exposed.

Inventory of IT assets, owners, PI.  When a system is infected,  a security analyst needs to know the system owner and applications and data. Asset management solutions such as ServiceNow or SAP can help manage the contacts for systems. IBM Security® Discover and Classify can help find data sources and PI in each source. So in the event of a data breach, analysts know if any regulations are involved.

Learn more about planning for a ransomware attack
Case studies Enhancing city defense with threat intelligence

The city of Los Angeles, the LA Cyber Lab and IBM joined forces to deliver threat intelligence and strengthen vulnerable local businesses.

Speeding threat remediation with QRadar SIEM

Integrating data, analyzing logs and prioritizing incidents helps Vietnam's real estate investment and development firm detect and respond to threats.

Managing cybersecurity with combined IBM solutions

By hosting a QRadar SIEM solution on high-performance IBM FlashSystem® storage, Data Action (DA) offers improved security to alternative banks.

Related use cases

Threat detection from center to endpoint with QRadar SIEM protects your organization in a number of ways.

Threat hunting

Incorporate IBM Security cyberthreat hunting solutions into your security strategy to counter and mitigate threats more quickly.


Integrate compliance packs into QRadar SIEM to ensure compliance and automate reporting.

Threat detection

Stop cyberattacks fast with QRadar SIEM’s near-real-time threat detection. 

Take the next step

Schedule time to get a custom demonstration of QRadar SIEM or consult with one of our product experts.

Request a demo
More ways to explore Documentation Support Community Partners Resources