Detection rules › Splunk
Common Ransomware Notes
The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands. Note that this analytic relies on a lookup table (ransomware_notes_lookup) that contains known ransomware note file names. Ensure that this lookup table is regularly updated to include new ransomware note file names as they are identified in the threat landscape. Also this analytic leverages a sub-search to enhance performance. sub-searches have limitations on the amount of data they can return. Keep this in mind if you have an extensive list of ransomware note file names.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1485 Data Destruction |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: tstats
tstats WHERE 1=1 BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
1 | eq |
|