Detection: Common Ransomware Extensions

Description

The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability.

Search

1
2| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product 
3| `drop_dm_object_name(Filesystem)` 
4| rex field=file_name "(?<file_extension>\.[^\.]+)$" 
5| lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Extensions Name 
6| search Name !=False 
7| stats min(firstTime) as firstTime max(lastTime) as lastTime dc(file_path) as path_count dc(file_name) as file_count values(action) as action values(file_access_time) as file_access_time values(file_create_time) as file_create_time values(file_hash) as file_hash values(file_modify_time) as file_modify_time values(file_acl) as file_acl values(file_size) as file_size values(process_guid) as process_guid values(process_id) as process_id values(user) as user values(vendor_product) as vendor_product values(file_name) as file_name values(file_extension) as file_extension values(Name) as Name by dest 
8| where path_count > 1 OR file_count > 20 
9| `common_ransomware_extensions_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 11	Windows	'xmlwineventlog'	'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review

Known False Positives

It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.

Associated Analytic Story

• Black Basta Ransomware

• Clop Ransomware

• LockBit Ransomware

• Medusa Ransomware

• Prestige Ransomware

• Ransomware

• Rhysida Ransomware

• Ryuk Ransomware

• SamSam Ransomware

• Termite Ransomware

Risk Based Analytics (RBA)

Risk Message:

The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack.

References

• https://github.com/splunk/security_content/issues/2448

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 13