Detection: Common Ransomware Notes

Description

The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands. Note that this analytic relies on a lookup table (ransomware_notes_lookup) that contains known ransomware note file names. Ensure that this lookup table is regularly updated to include new ransomware note file names as they are identified in the threat landscape. Also this analytic leverages a sub-search to enhance performance. sub-searches have limitations on the amount of data they can return. Keep this in mind if you have an extensive list of ransomware note file names.

Search

 1
 2| tstats `security_content_summariesonly`
 3  count
 4  min(_time) as firstTime
 5  max(_time) as lastTime
 6  values(Filesystem.user) as user
 7  values(Filesystem.dest) as dest
 8  values(Filesystem.file_path) as file_path
 9from datamodel=Endpoint.Filesystem
10where [
11  
12| inputlookup ransomware_notes_lookup
13  
14| search status=true
15  
16| fields ransomware_notes
17  
18| dedup ransomware_notes
19  
20| rename ransomware_notes as Filesystem.file_name
21]
22by Filesystem.action Filesystem.dest Filesystem.file_access_time
23   Filesystem.file_create_time Filesystem.file_hash
24   Filesystem.file_modify_time Filesystem.file_name
25   Filesystem.file_path Filesystem.file_acl Filesystem.file_size
26   Filesystem.process_guid Filesystem.process_id Filesystem.user
27   Filesystem.vendor_product
28
29| `drop_dm_object_name(Filesystem)`
30
31| `security_content_ctime(lastTime)`
32
33| `security_content_ctime(firstTime)`
34
35| `common_ransomware_notes_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 11	Windows	'XmlWinEventLog'	'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.

Known False Positives

There could be cases where a legitimate file coincidentally matches a known ransomware note name. In such cases, further investigation is required to determine the nature of the file and its context.

Associated Analytic Story

• Black Basta Ransomware

• Chaos Ransomware

• Clop Ransomware

• Hellcat Ransomware

• Interlock Ransomware

• LockBit Ransomware

• Medusa Ransomware

• NailaoLocker Ransomware

• Ransomware

• Rhysida Ransomware

• Ryuk Ransomware

• SamSam Ransomware

• Storm-0501 Ransomware

• Termite Ransomware

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 14