Common Ransomware Notes
Description
The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.
- Type: Hunting
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2020-11-09
- Author: David Dorsey, Splunk
- ID: ada0f478-84a8-4641-a3f1-d82362d6bd71
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1485 | Data Destruction | Impact |
Search
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `ransomware_notes`
| `common_ransomware_notes_filter`
Associated Analytic Story
How To Implement
You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.
Required field
- _time
- Filesystem.user
- Filesystem.dest
- Filesystem.file_path
- Filesystem.file_name
Kill Chain Phase
- Actions on Objectives
Known False Positives
It's possible that a legitimate file could be created with the same name used by ransomware note files.
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 90.0 | 90 | 100 | A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately. |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 4