Common Ransomware Notes

Description

The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Ransomware

Alert Volume

The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Impact

MITRE ATT&CK Techniques

Data Destruction

Data Destruction

MITRE Threat Groups

APT38
Lazarus Group
Sandworm Team

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Common Ransomware Notes Help

You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.

   Search

Open in Search