Skip to main content
Splunk Lantern

Bulk creation of ransomware notes

This search looks for instances where a large number of ransomware notes are files created in the infected machine. These notes often have file extensions of .txt, .html or .hta.

 

Procedure

  1. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| search (EventCode=11 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (file_name="*\.hta" OR file_name="*\.html" OR file_name="*\.txt")) 
| stats min(_time) AS firstTime max(_time) AS lastTime dc(TargetFilename) AS unique_readme_path_count values(TargetFilename) AS list_of_readme_path BY Computer Image file_name 
| where (unique_readme_path_count >= 50) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| search (EventCode=11 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) Search Sysmon Operational logs for event code 11, file creation events.
(file_name="*\.hta" OR file_name="*\.html" OR file_name="*\.txt"))  Search for the file extensions listed, which are commonly created by ransomware infections.
| stats min(_time) AS firstTime max(_time) AS lastTime dc(TargetFilename) AS unique_readme_path_count values(TargetFilename) AS list_of_readme_path BY Computer Image file_name  Return the values for the fields shown, sorting first by Computer and then by the rest of the fields shown.
| where (unique_readme_path_count >= 50)  Return instances where at least 50 files are created at once.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Convert these times into readable strings.

Next steps

If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack or Detecting Clop ransomware use cases.