Detection: Common Ransomware Extensions

Updated Date: 2026-01-19 ID: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec Author: David Dorsey, Michael Haag, Splunk, Steven Dick Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability.

Search

 1
 2| tstats `security_content_summariesonly` 
 3  min(_time) as firstTime 
 4  max(_time) as lastTime 
 5  count latest(Filesystem.user) as user 
 6        values(Filesystem.file_path) as file_path 
 7  from datamodel=Endpoint.Filesystem
 8  where NOT Filesystem.file_name IN (
 9    "*.bat",
10    "*.cmd",
11    "*.com",
12    "*.cpl",
13    "*.dll",
14    "*.doc",
15    "*.docx",
16    "*.exe",
17    "*.gif",
18    "*.jar",
19    "*.jpeg",
20    "*.jpg",
21    "*.js",
22    "*.lnk",
23    "*.pif",
24    "*.png",
25    "*.ppt",
26    "*.pptx",
27    "*.ps1",
28    "*.psm1",
29    "*.scr",
30    "*.sys",
31    "*.txt",
32    "*.vbs",
33    "*.wsf",
34    "*.xls",
35    "*.xlsx"
36  )
37  by Filesystem.action Filesystem.dest
38     Filesystem.file_access_time Filesystem.file_create_time 
39     Filesystem.file_hash Filesystem.file_modify_time
40     Filesystem.file_name Filesystem.file_path 
41     Filesystem.file_acl Filesystem.file_size
42     Filesystem.process_guid Filesystem.process_id 
43     Filesystem.user Filesystem.vendor_product
44
45| `drop_dm_object_name(Filesystem)` 
46
47| rex field=file_name "(?<file_extension>(\.[^\.]+){1,2})$"
48
49| lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Extensions Name 
50
51| search Name !=False 
52
53| stats min(firstTime) as firstTime 
54        max(lastTime) as lastTime 
55        dc(file_path) as path_count 
56        dc(file_name) as file_count 
57        values(action) as action 
58        values(file_access_time) as file_access_time 
59        values(file_create_time) as file_create_time 
60        values(file_hash) as file_hash 
61        values(file_modify_time) as file_modify_time
62        values(file_acl) as file_acl 
63        values(file_size) as file_size 
64        values(file_path) as file_path 
65        values(process_guid) as process_guid 
66        values(process_id) as process_id 
67        values(user) as user 
68        values(vendor_product) as vendor_product 
69        values(file_name) as file_name 
70        values(file_extension) as file_extension 
71        values(Name) as Name 
72  by dest 
73
74| where path_count > 1 OR file_count > 20 
75
76| `common_ransomware_extensions_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 11	Windows	`'XmlWinEventLog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`

Macros Used

Name	Value
security_content_summariesonly	`summariesonly=`summariesonly_config `allow_old_summaries=`oldsummaries_config `fillnull_value=`fillnull_config``
common_ransomware_extensions_filter	`search *`

common_ransomware_extensions_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1485	Data Destruction	Impact

Actions on Objectives

DE.CM

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Mission Control Queue

Known False Positives

It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack.

Risk Object	Risk Object Type	Risk Score	Threat Objects
dest	system	90	No Threat Objects
user	user	90	No Threat Objects

References

https://github.com/splunk/security_content/issues/2448

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 17