Skip to main content
Splunk Lantern

Detecting a ransomware attack

This article covers techniques for detecting ransomware attacks. If you have already detected an attack and want to investigate its impact, check Investigating a ransomware attack for searches to help you investigate the origin and scope the impact of the attack.

A new type of ransomware attack has been discovered and is affecting organizations like yours. Although you have not yet been contacted by any users letting you know their machine has been infected, you know that attackers can infiltrate a network and perform activities undetected before encrypting files and notifying users.

As a security analyst, it is your goal to detect traces of ransomware attacks by investigating programs or binaries that execute on potentially infected systems, and looking for other hallmarks of ransomware attacks.

Related processes

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Notifying law enforcement and all other authorities relevant to your industry
  • Implementing your security incident response and business continuity plan 
  • Filing cyber insurance claims with your provider

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Time to detection: The time from when the source of the ransomware was downloaded to the user’s machine and when the user received the ransomware notice
  • Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed

Next steps