Ransomware Note Files

Description

Most ransomware leaves a note on the endpoint containing directions for the victim to pay a ransom. This use case looks for these note files.


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

User Execution

MITRE Threat Groups

APT12
APT19
APT28
APT29
APT32
APT33
APT37
APT39
BRONZE BUTLER
Cobalt Group
Dark Caracal
DarkHydrus
Darkhotel
Dragonfly 2.0
Elderwood
FIN4
FIN7
FIN8
Gallmaker
Gorgon Group
Lazarus Group
Leviathan
Machete
Magic Hound
MuddyWater
Night Dragon
OilRig
PLATINUM
Patchwork
Rancor
Silence
TA459
TA505
The White Company
Turla
admin@338
menuPass

Kill Chain Phases

Actions on Objectives

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

This use case requires Sysmon to be installed on the endpoints you wish to monitor and the Sysmon add-on installed on your forwarders and search heads. The search uses the ransomware_notes.csv lookup file, which contains the names of common ransomware note files.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems effected by the infection.

   Help

Ransomware Note Files Help

Most ransomware leaves a note on the endpoint containing directions for the victim to pay a ransom. This use case looks for these note files.

SPL for Ransomware Note Files

Demo Data

First we load our Sysmon demo data
From sysmon data, we care primarily about file writes (code 11) or timestamp changes (code 2), so we filter for that
Splunk has a capability of looking up data in a CSV file through the lookup command. This will take the filename, "look it up" in the csv file, and then add any new fields.
The field from the lookup is "status" so we can now search for any true Name field.
And finally we can pull out all the filenames and put them into a usable format via the stats command.

Live Data

First we load our Sysmon data. From sysmon data, we care primarily about file writes (code 11) or timestamp changes (code 2), so we filter for that
From line one we have our process launch logs, now we need to filter that down to just the potential attack tools. We do this via a subsearch. A subsearch goes and runs another search, and then takes those results and inserts them into the main search. You can copy-paste that subsearch into a new search window and see what the results look like -- it will return a single column with the name "TargetFilename" that include a number of our search strings. That will effectively be inserted into our main search, giving us a really long search string without having to maintain a really long search.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the day.
And finally we can pull out all the filenames and put them into a usable format via the stats command.