Techniques
Sample rules
Common Ransomware Notes
- source: splunk
- technicques:
- T1485
Description
The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands. Note that this analytic relies on a lookup table (ransomware_notes_lookup) that contains known ransomware note file names. Ensure that this lookup table is regularly updated to include new ransomware note file names as they are identified in the threat landscape. Also this analytic leverages a sub-search to enhance performance. sub-searches have limitations on the amount of data they can return. Keep this in mind if you have an extensive list of ransomware note file names.
Detection logic
| tstats `security_content_summariesonly`
count
min(_time) as firstTime
max(_time) as lastTime
values(Filesystem.user) as user
values(Filesystem.dest) as dest
values(Filesystem.file_path) as file_path
from datamodel=Endpoint.Filesystem
where [
| inputlookup ransomware_notes_lookup
| search status=true
| fields ransomware_notes
| dedup ransomware_notes
| rename ransomware_notes as Filesystem.file_name
]
by Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash
Filesystem.file_modify_time Filesystem.file_name
Filesystem.file_path Filesystem.file_acl Filesystem.file_size
Filesystem.process_guid Filesystem.process_id Filesystem.user
Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `common_ransomware_notes_filter`