Ransomware Notes bulk creation

Try in Splunk Security Cloud

Description

The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2021-03-12
• Author: Teoderick Contreras
• ID: eff7919a-8330-11eb-83f8-acde48001122

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1486	Data Encrypted for Impact	Impact

Kill Chain Phase

• Actions On Objectives

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") 
|bin _time span=10s 
| stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name 
| rename Computer as dest 
| where unique_readme_path_count >= 15 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `ransomware_notes_bulk_creation_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• sysmon

ransomware_notes_bulk_creation_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• EventCode
• file_name
• _time
• TargetFilename
• dest
• Image
• user

How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Known False Positives

unknown

Associated Analytic Story

• Clop Ransomware
• DarkSide Ransomware
• BlackMatter Ransomware
• Chaos Ransomware
• LockBit Ransomware
• Rhysida Ransomware

RBA

Risk Score	Impact	Confidence	Message
81.0	90	90	A high frequency file creation of $file_name$ in different file path in host $dest$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft
• https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1