Common Ransomware Notes
Description
The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.
- Type: Hunting
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2020-11-09
- Author: David Dorsey, Splunk
- ID: ada0f478-84a8-4641-a3f1-d82362d6bd71
Annotations
ATT&CK
ID | Technique | Tactic |
---|---|---|
T1485 | Data Destruction | Impact |
Kill Chain Phase
- Actions on Objectives
NIST
- PR.PT
- DE.CM
CIS20
- CIS 8
CVE
Search
1
2
3
4
5
6
7
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `ransomware_notes`
| `common_ransomware_notes_filter`
Macros
The SPL above uses the following Macros:
Note that common_ransomware_notes_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
- Filesystem.user
- Filesystem.dest
- Filesystem.file_path
- Filesystem.file_name
How To Implement
You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.
Known False Positives
It’s possible that a legitimate file could be created with the same name used by ransomware note files.
Associated Analytic story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
90.0 | 90 | 100 | A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately. |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 4