Skip to main content
Splunk Lantern

Investigating a ransomware attack

Scenario: A user in your organization turns on his Windows desktop one morning and is greeted by a message claiming that files on the system have been encrypted and payment must be made to get the files back. As a security analyst, it is your goal to investigate the ransomware by attempting to reconstruct the events that led to the system being infected. You also want to understand the full scope of the security breach and prevent additional systems from becoming infected. You can use Splunk software to investigate programs or binaries that executed on the infected system, examine connections the infected machine had to other network devices, construct a timeline of events, and create traffic flow diagrams to help visualize what happened. 

Prerequisites 

To succeed in implementing this use case, you need the following dependencies, resources, and information.

How to use Splunk software for this use case

There are many searches you can run with Splunk software in the event of a ransomware attack. You can investigate the origin of the attack using these searches:

You can scope the impact of the attacking using these searches: 

Results

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Notifying law enforcement and all other authorities relevant to your industry
  • Implementing your security incident response and business continuity plan 
  • Filing cyber insurance claims with your provider

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Time to detection: The time from when the source of the ransomware was downloaded to the user’s machine and when the user received the ransomware notice
  • Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed

Additional resources 

The content in this use case comes from a hands-on security investigations workshop developed by Splunk experts. To find out what educational resources are available to you, talk to your Customer Service Manager. These additional Splunk resources might help you understand and implement this specific use case: