Try in Splunk Security Cloud


The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-11-09
  • Author: David Dorsey, Splunk
  • ID: ada0f478-84a8-4641-a3f1-d82362d6bd71


ID Technique Tactic
T1485 Data Destruction Impact

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `ransomware_notes` 
| `common_ransomware_notes_filter`

Associated Analytic Story

How To Implement

You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.

Required field

  • _time
  • Filesystem.user
  • Filesystem.dest
  • Filesystem.file_path
  • Filesystem.file_name

Kill Chain Phase

  • Actions on Objectives

Known False Positives

It's possible that a legitimate file could be created with the same name used by ransomware note files.


Risk Score Impact Confidence Message
90.0 90 100 A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 4