Skip to main content
Splunk Lantern

Detecting a ransomware attack


This article covers techniques for detecting ransomware attacks. If you have already detected an attack and want to investigate its impact, check Investigating a ransomware attack for searches to help you investigate the origin and scope the impact of the attack.

A new type of ransomware attack has been discovered and is affecting organizations like yours. Although you have not yet been contacted by any users letting you know their machine has been infected, you know that attackers can infiltrate a network and perform activities undetected before encrypting files and notifying users.

As a security analyst, it is your goal to detect traces of ransomware attacks by investigating programs or binaries that execute on potentially infected systems, and looking for other hallmarks of ransomware attacks.

Related processes

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Notifying law enforcement and all other authorities relevant to your industry
  • Implementing your security incident response and business continuity plan 
  • Filing cyber insurance claims with your provider

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Time to detection: The time from when the source of the ransomware was downloaded to the user’s machine and when the user received the ransomware notice
  • Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed

Next steps

  • The content in this use case comes from a hands-on security investigations workshop developed by Splunk experts. To find out what educational resources are available to you, talk to your account team. These additional Splunk resources might help you understand and implement this specific use case:
  • Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.

  • Finally, if you'd like a more efficient way to detect ransomware on your network, consider upgrading your deployment. Splunk Enterprise Security helps you ingest, monitor, investigate/analyze and act (IMIA) on security data and insights. Click here to see how this use case can be accomplished in Splunk Enterprise Security.