Bulk creation of ransomware notes
This search looks for instances where a large number of ransomware notes are files created in the infected machine. These notes often have file extensions of .txt, .html or .hta.
Data required
Procedure
- If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
| search (EventCode=11 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (file_name="*\.hta" OR file_name="*\.html" OR file_name="*\.txt"))
| stats min(_time) AS firstTime max(_time) AS lastTime dc(TargetFilename) AS unique_readme_path_count values(TargetFilename) AS list_of_readme_path BY Computer Image file_name
| where (unique_readme_path_count >= 50)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
| search (EventCode=11 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) | Search Sysmon Operational logs for event code 11, file creation events. |
(file_name="*\.hta" OR file_name="*\.html" OR file_name="*\.txt")) | Search for the file extensions listed, which are commonly created by ransomware infections. |
| stats min(_time) AS firstTime max(_time) AS lastTime dc(TargetFilename) AS unique_readme_path_count values(TargetFilename) AS list_of_readme_path BY Computer Image file_name | Return the values for the fields shown, sorting first by Computer and then by the rest of the fields shown. |
| where (unique_readme_path_count >= 50) | Return instances where at least 50 files are created at once. |
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) |
Convert these times into readable strings. |
Next steps
If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.
Finally, you might be interested in other processes associated with the Detecting a ransomware attack or Detecting Clop ransomware use cases.