Analytics Story: Ransomware Cloud

Updated Date: 2026-05-13 ID: f52f6c43-05f8-4b19-a9d3-5b8c56da91c2 Author: Rod Soto, David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.

Why it matters

Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
O365 Threat Intelligence Suspicious File Detected	Malicious File	TTP
AWS Detect Users with KMS keys performing encryption S3	Data Encrypted for Impact	Anomaly
AWS Detect Users creating keys with encrypt policy without MFA	Data Encrypted for Impact	TTP
O365 SharePoint Malware Detection	Malicious File	TTP
ASL AWS Detect Users creating keys with encrypt policy without MFA	Data Encrypted for Impact	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Office 365 Universal Audit Log	Other	`o365:management:activity`	`o365`
AWS CloudTrail	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail CreateKey	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail PutKeyPolicy	AWS	`aws:cloudtrail`	`aws_cloudtrail`
ASL AWS CloudTrail	AWS	`aws:asl`	`aws_asl`

References

Source: GitHub | Version: 2