Ransomware is often the final act. Long before encryption begins, threat groups like Scattered Spider are already inside, abusing identities, exploiting tools, disabling defenses, and staging their attack. This session shares real-world containment and recovery lessons from pre-ransomware intrusions based on direct, hands-on response experience.

We will cover tactical containment such as revoking sessions, resetting Kerberos, disabling SSO and SSH, isolating ESXi from Active Directory, and securing backup infrastructure. Cloud containment will include removing Azure root-level roles, restricting PowerShell, and shutting down persistence like self-service password resets.

All insights will be mapped to MITRE ATT&CK so attendees can align behaviors with actionable strategies. We will also share critical hardening steps to reduce dwell time, limit business interruption, and avoid crisis-mode improvisation.

Engagement timelines and lessons learned from coordinated responses with external teams including the FBI will be highlighted. Attendees will leave with containment playbook recommendations, recovery sequencing strategies, and techniques to improve response precision under pressure.

Whether on the blue team, leading incident response, or advising executives, this session will help you build the muscle memory to contain faster and recover smarter before the ransom note ever appears.