Ransomware Extensions

Description

This example queries your endpoint data to find encrypted files that ransomware will create. You can often even use these extensions to identify the ransomware affecting a given endpoint.


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

User Execution

MITRE Threat Groups

APT12
APT19
APT28
APT29
APT32
APT33
APT37
APT39
BRONZE BUTLER
Cobalt Group
Dark Caracal
DarkHydrus
Darkhotel
Dragonfly 2.0
Elderwood
FIN4
FIN7
FIN8
Gallmaker
Gorgon Group
Lazarus Group
Leviathan
Machete
Magic Hound
MuddyWater
Night Dragon
OilRig
PLATINUM
Patchwork
Rancor
Silence
TA459
TA505
The White Company
Turla
admin@338
menuPass

Kill Chain Phases

Actions on Objectives

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

This search requires Sysmon to be installed on your endpoints with the Sysmon add-on installed on your forwarders and search heads. Common ransomware extensions and the associated ransomware families are located in the ransomware_extensions.csv lookup file. You can update this list to reflect the latest intelligence without the need to modify the search.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems effected by the infection.

   Help

Ransomware Extensions Help

This use case is designed to query your endpoint data to look for encrypted files that ransomware creates. Most ransomware families use a consistent extension for the encrypted files they generate, so you can use those extensions to identify the ransomware affecting a given endpoint.

SPL for Ransomware Extensions

Demo Data

First we load our Sysmon demo data
From sysmon data, we care primarily about file writes (code 11) or timestamp changes (code 2), so we filter for that
Next we use the rex command to extract file extensions using a moderately complex regular expression.
Now that we have our file extensions, we want to look them up. Splunk has a capability of looking up data in a CSV file through the lookup command. This will take the file extension we just extracted, "look it up" in the csv file, and then add any new fields.
The field from the lookup is "Name" so we can now search for any true Name field.
And finally we can pull out all the filenames and put them into a usable format via the stats command.

Live Data

First we load our Sysmon data. We care primarily about file writes (code 11) or timestamp changes (code 2), so we filter for that
Next we use the rex command to extract file extensions using a moderately complex regular expression.
Now that we have our file extensions, we want to look them up. Splunk has a capability of looking up data in a CSV file through the lookup command. This will take the file extension we just extracted, "look it up" in the csv file, and then add any new fields.
The field from the lookup is "Name" so we can now search for any true Name field.
And finally we can pull out all the filenames and put them into a usable format via the stats command.