Skip to main content
Splunk Lantern

Investigating a ransomware attack


This article covers techniques for investigating ransomware attacks that have already been detected. If you are looking for searches to help you detect ransomware attacks, go to Detecting a ransomware attack.

A user in your organization turns on their Windows desktop one morning and is greeted by a message claiming that files on the system have been encrypted and payment must be made to get the files back. As a security analyst, it is your goal to investigate the ransomware by attempting to reconstruct the events that led to the system being infected. You also want to understand the full scope of the security breach and prevent additional systems from becoming infected. 

You can use Splunk software to investigate programs or binaries that executed on the infected system, examine connections the infected machine had to other network devices, construct a timeline of events, and create traffic flow diagrams to help visualize what happened. 

Next steps

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Notifying law enforcement and all other authorities relevant to your industry
  • Implementing your security incident response and business continuity plan 
  • Filing cyber insurance claims with your provider

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Time to detection: The time from when the source of the ransomware was downloaded to the user’s machine and when the user received the ransomware notice
  • Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed

The content in this use case comes from a hands-on security investigations workshop developed by Splunk experts. To find out what educational resources are available to you, talk to your Customer Service Manager. These additional Splunk resources might help you understand and implement this specific use case:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.