This article covers techniques for detecting ransomware attacks. If you have already detected an attack and want to investigate its impact, check Investigating a ransomware attack for searches to help you investigate the origin and scope the impact of the attack.
A new type of ransomware attack has been discovered and is affecting organizations like yours. Although you have not yet been contacted by any users letting you know their machine has been infected, you know that attackers can infiltrate a network and perform activities undetected before encrypting files and notifying users.
As a security analyst, it is your goal to detect traces of ransomware attacks by investigating programs or binaries that execute on potentially infected systems, and looking for other hallmarks of ransomware attacks.
How to use Splunk software for this use case
There are many searches you can run with Splunk software in the event of a ransomware attack. You can detect the attack using these searches:
- High file deletion frequency
- High process termination frequency
- Bulk creation of ransomware notes
- Bcdedit boot recovery modifications
- Shadow copies deleted
- Registry key modifications
- Wmic.exe launching processes on a remote system
- Schtasks.exe used to force a reboot
- Schtasks.exe registering binaries or scripts to run from a public directory
- Server Message Block (SMB) traffic connection spikes
- File write spikes
- Wevtutil.exe abuse
- Command line string length
- USN journal deletion
- Wbadmin delete backup files
- Windows event log cleared
- TOR traffic
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Notifying law enforcement and all other authorities relevant to your industry
- Implementing your security incident response and business continuity plan
- Filing cyber insurance claims with your provider
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Time to detection: The time from when the source of the ransomware was downloaded to the user’s machine and when the user received the ransomware notice
- Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed
- The content in this use case comes from a hands-on security investigations workshop developed by Splunk experts. To find out what educational resources are available to you, talk to your account team. These additional Splunk resources might help you understand and implement this specific use case:
- Finally, if you'd like a more efficient way to detect ransomware on your network, consider upgrading your deployment. Splunk Enterprise Security helps you ingest, monitor, investigate/analyze and act (IMIA) on security data and insights. Click here to see how this use case can be accomplished in Splunk Enterprise Security.