How Proactive Threat Hunting Stopped INC Ransom Before the Alert

Modern security operations rely heavily on automated detection. Alerts, analytics and automated responses play a critical role in identifying known threats and responding at speed. But even the most mature security operations center cannot account for every possible adversary behavior.

That gap is where proactive threat hunting becomes essential. Threat hunting is designed to surface malicious activity that does not yet meet the threshold of an incident. This is the kind of activity that blends into normal operations, avoids known detection logic or unfolds slowly over time. If you rely only on alerts, this behavior is easy to miss.

A recent threat hunting engagement conducted by the Rackspace Cyber Defense Center demonstrates exactly why this capability matters.

Safeguarding critical emergency communications

The environment in question belonged to a government services organization that supports critical emergency communications. Availability, reliability and trust were non-negotiable. Any service disruption, particularly one caused by ransomware, would have had immediate operational and public safety implications.

Like many organizations operating critical services, this environment relied on standard preventative controls and alerting to identify known threats. At the time of the engagement, there were no active incidents, no high-severity alerts and no visible signs of compromise.

That was precisely the point. The absence of alerts did not indicate the absence of risk. It created an opportunity to look deeper for adversary behavior that had not yet reached an alerting threshold.

A proactive, analyst-led threat hunt

As part of a scheduled, analyst-led threat hunting exercise, the Rackspace Cyber Defense Center conducted a focused review of identity, endpoint and network telemetry collected over the prior month. The hunt assumed potential compromise and intentionally looked beyond alert-based detections.

If you’re responsible for a mature security environment, this type of threat hunt may feel counterintuitive. There was no incident to respond to and no alert demanding investigation. Instead, analysts worked from the premise that not all adversary activity announces itself. The goal was to identify behaviors that should not exist, even when controls appear to be working as expected.

Rather than responding to known indicators, analysts searched for adversary behaviors aligned to the MITRE ATT&CK framework. This included techniques commonly associated with ransomware activity, such as credential abuse, unauthorized remote access, lateral movement and early-stage prepositioning.

This hunt was not driven by an incident. Instead, it was driven by intent and the understanding that early-stage adversary behavior is often easiest to find before it becomes an alert.

Focusing on the INC Ransom threat group

The threat hunt focused on tradecraft associated with INC Ransom, a globally active ransomware and data extortion group that has been operating since at least mid-2023. The group has been linked to attacks against public sector organizations and critical services, often relying on credential compromise, Living off the Land techniques and the abuse of legitimate remote access tools before moving to encryption or extortion.

If you are responsible for defending a complex environment, this kind of activity may sound familiar. These techniques are designed to blend in. They rely on tools and access patterns that can appear legitimate, especially in environments with diverse users and administrative workflows.

At the time of the hunt, there were no dedicated detections in place tuned specifically to INC Ransom’s early-stage behaviors. That gap proved critical. It meant adversary activity could progress quietly, without triggering alerts, unless someone was actively looking for it.

What the hunt uncovered before impact

The threat hunt did not surface a single obvious indicator. Instead, it revealed a pattern of early-stage adversary behavior unfolding across identity, endpoint and network telemetry. Individually, each signal was subtle. Taken together, they pointed to an active intrusion progressing toward ransomware execution.

Because analysts weren’t constrained by alert thresholds, they were able to identify these behaviors early, before encryption, data exfiltration or service disruption occurred. The findings fell into several key areas.

Identity and authentication abuse

Analysis of authentication telemetry revealed cleartext authentication events associated with a legitimate user account. This activity deviated from established baselines and suggested potential credential exposure. Correlation with logon timing and source infrastructure elevated the risk assessment.

Unauthorized account activity and RDP access

Threat hunting analysis identified unauthorized RDP logon activity tied to an unapproved user account. The account did not align with documented access requirements or operational usage patterns. Session attributes and originating infrastructure were inconsistent with normal administrative behavior.

Unauthorized remote access tooling

Endpoint execution telemetry revealed the presence of an unapproved remote access tool, AnyDesk.exe. Installation and execution context indicated unauthorized use rather than sanctioned administrative activity. The organization confirmed that only approved remote access tools were permitted within the environment.

Network-based pre-impact indicators

Proactive network analysis identified multiple malicious external IP addresses generating high-volume inbound traffic that was initially permitted at the application layer. In addition, ransomware-related artifacts, including README.txt and README.html files, were observed originating from suspicious external infrastructure.

While encryption had not yet occurred, these indicators aligned with known INC Ransom pre-impact behavior.

Viewed in isolation, none of these findings would necessarily indicate an active ransomware event. Together, they revealed a clear trajectory toward impact.

This is where proactive threat hunting proved decisive. By identifying low-signal behaviors early and connecting them across telemetry sources, analysts were able to surface attacker intent before the environment reached an incident threshold.

Containment before disruption

Once the activity was identified, containment actions were taken quickly and in close coordination with the customer. The focus was on stopping adversary progression without disrupting normal operations.

Key actions included:

• Disabling unauthorized user accounts associated with suspicious authentication and RDP activity
• Blocking malicious external IP addresses at perimeter and cloud security layers
• Removing unauthorized remote access tooling after customer validation
• Sharing confirmed Indicators of Compromise to strengthen environment-wide prevention and monitoring

Following containment, analysts conducted a review of subsequent telemetry to validate remediation. No continued malicious activity was observed.

Most importantly, the threat was stopped before it reached impact. No ransomware encryption occurred. No data was exfiltrated. No service disruption was experienced.

Closing the gaps between alerts

This engagement highlights a practical reality of modern security operations. Not all malicious activity generates alerts, and not all compromises begin with a clear incident.

Ransomware groups increasingly rely on low-noise techniques that unfold gradually. They abuse legitimate credentials, use approved tools and blend into normal operational workflows. In environments that depend primarily on automated detection, this activity can persist unnoticed until attackers reach later stages such as encryption or extortion.

Proactive threat hunting is designed to close these gaps. By looking for behavior that falls outside expected patterns, analysts can identify adversary activity earlier, validate whether controls are working as intended and uncover blind spots that automated detections do not address.

In this case, threat hunting surfaced adversary behavior that would likely have remained invisible until the environment reached an incident threshold.

How Rackspace helps

Threat hunting is a core part of Rackspace Managed XDR and is delivered through the Rackspace Cyber Defense Center powered by Microsoft Sentinel. It is not treated as a one-off exercise or an escalation step. It is an ongoing, analyst-led capability designed to work alongside detection and response.

If you rely primarily on alerts to understand risk in your environment, threat hunting provides a necessary counterbalance. Analysts actively search for emerging adversary behavior that automated logic may miss, using evidence drawn from identity, endpoint and network telemetry.

By combining deep security expertise with continuous analysis across these data sources, Rackspace helps you identify risk earlier, validate whether controls are operating as intended and strengthen cyber resilience without waiting for an alert to fire.

Take the next step with a Microsoft Sentinel Visibility & Resilience Check to identify detection gaps and improve visibility between alerts.