Can You See Ransomware Coming? Run This Vision Check.

• These days, the question isn’t whether you’ll be targeted by ransomware—it’s whether you’ll spot it in time.
• But gaps in visibility won’t just slow operations. They’ll open the door for lateral movement, data theft and millions lost in recovery and downtime.
• To break ahead, you’ll need to think like an attacker: Inspect every aspect of your environment for blind spots and anticipate far beyond their next move.

In Q1 of 2025, ransomware attacks surged 46% (oof), while median dwell time in ransomware cases came in at five days in 2024. With many strikes happening after hours, defenders find themselves with less time to respond before APTs wreak serious havoc. As the window shrinks, pressure rises across every industry. Whether you’re an enterprise or an SMB, ransomware doesn’t discriminate—likely its only virtue, and a misfortunate one. And much like its diverse targets, their tactics are getting more complex and harder to detect. 

Just last month, our elite team of Symantec and Carbon Black Threat Hunters uncovered Fog ransomware using an unusual toolset, potentially hinting at targeted espionage with cash extortion as their side hustle (as if spying wasn’t bad enough). These obscure combos and unexpected behaviors point to uniquely chained, sophisticated tactics, techniques and procedures (TTPs) becoming the new norm.

And the effects are serious. In June, the Qilin ransomware gang exposed nearly 40,000 Social Security numbers and disrupted publishing operations for Lee Enterprises, causing $2 million in recovery costs and widespread revenue losses.

The fight against ransomware calls for round-the-clock monitoring and detection—but you can’t protect what you can’t see. Use this checklist to help you uncover what your current visibility shows and more importantly, what it doesn’t. 

7 ways to see what attackers hope you miss 

In today’s battlefield, you need better visibility into the tools, people and pathways threat actors love to exploit. Here’s where to start. 

1. Enhance identity visibility before attackers slip in

Stolen credentials remain the most common initial access vector for breaches, with ransomware present in 44% of breaches in 2024. But early visibility into access patterns and credential use helps block lateral movements before attackers can even dream of launching encryptions. Here’s what to do:

• Tailor policy-based access controls to match your compliance needs, without relying on one-size-fits-all solutions.
• Monitor privileged accounts, MFA activity and any login anomalies across hybrid environments.

2. Watch how endpoints behave (not just what runs)

Endpoints are ground zero. Without visibility into how applications and processes behave, ransomware can spread unnoticed. And because endpoints are often the most diverse and loosely managed part of the environment—rife with overlooked assets, outdated systems and inconsistent controls—they can be a hotbed for cybercriminal activity.

• Identify any overlooked assets like legacy systems and containers. When done with a complete Data Loss Prevention (DLP) solution, this can help eliminate easy hiding spots for bad actors.
• Apply monitoring and controls to your applications to allow only trusted applications to run, block the rest and shrink your attack surface. 

3. Shed light on your network to spot lateral movement early

If you can’t see how ransomware moves through your network, you can’t stop it. Ask yourself: is lateral movement being fully monitored—or just at the perimeter? 

• Use deep inspections and advanced analytics to expose threats between segments, not just at the edge.
• Make use of real-time inspection across your entire network. Security Service Edge (SSE) solutions (especially ones integrated with SWG, ZTNA and CASB) can help here by monitoring traffic across users, apps and data flows, no matter where they live.

4. Extend visibility to cloud workloads or anywhere your data lives

Ransomware will hunt down your data—wherever it lives or moves. If you’re not watching your cloud closely, your apps are open for hunting season. Human error—behind  95% of data  breaches—make cloud workflows especially vulnerable. 

• Don’t overlook any risky activity happening between apps, users and data, and scan for malicious content and misconfigurations before attackers can exploit them.
• Equip your teams with DLP to secure your sensitive assets and cloud-hosted applications. 

5. Watch your data like a hawk (that never blinks)

We all know data is the prize, so taking your eyes off it? Bad move. You’ll want continuous visibility into how your data moves, who’s accessing it and whether it’s breaking any rules. 

• Track sensitive data in transit and at rest to catch policy violations or exfiltration fast.
• Keep data classified to simplify flagging abnormal data access, enforce policies and reduce false positives. 

6. Look at the bigger picture when monitoring communication

Email is still one of ransomware’s top entry points, and all it takes is one missed warning sign to let the bad guys in. Visibility across every layer of communication (even the small stuff) can prevent that first domino from falling.

• Scan for abnormal user behaviors that might indicate phishing, spoofing (including echospoofing that bypasses authentication) and malicious attachments.
• Encrypt messages in transit, even when recipients don’t use PGP, PDP or S/MIME, with password-protected PDFs or secure web portal delivery.  

7. Stay ahead of attackers before they reach you 

Attackers constantly update their playbooks to break through yesterday’s defenses. Staying current with their latest tactics can help you better visualize the full attack kill chain and cut them off before they can escalate.  

• Track how they use built-in tools for living off the land (LOTL) techniques (a favorite of villains everywhere) to evade traditional detection.
• Observe attack patterns to predict their next moves instead of chasing isolated alerts.
• Follow the latest and greatest threat intelligence, delivered by the Symantec and Carbon Black Threat Hunters.

We take on the toughest trials, so you don’t have to

At Symantec and Carbon Black, our combined portfolio's been battle-tested and proven. Named one of America’s Best Cybersecurity Companies for 2025 by Newsweek and Statista, we deliver tested, tried and true solutions that outperform competitors in the real-world—where it matters most. 

Our award-winning solutions speak for themselves: 

• Symantec and Carbon Black’s legendary endpoint protections earned SE Lab’s top AAA rating for 100% detection of 556 ransomware payloads and full attack chain visibility.
• Symantec DLP’s advanced content detection, seamless integrations and powerful APIs have earned it numerous accolades, including a position in the Leaders category in the 2025 IDC MarketScape for Worldwide DLP and a Top Player in The Radicati Group's Data Loss Prevention - Market Quadrant 2025.
• Our award-winning partnership with Google enables SSE that’s 100X the bandwidth of competing solutions.

The bottom line: your organization needs visibility you can trust. Watch this recent webinar for a closer look into the latest in Incident Prediction, the first AI-powered weapon that can predict the enemy’s next four or five moves with 100% confidence.