High-frequency file write operations using uncommon extensions, followed by ransom note creation, registry tampering, or shadow copy deletion. Often uses CLI tools like vssadmin, wbadmin, cipher, or PowerShell.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Modification (DC0061) | WinEventLog:Sysmon | EvenCode=2 |
| Field | Description |
|---|---|
| FileExtension | Non-standard or randomly generated file extensions may indicate encrypted content. |
| TargetFolder | Focus on user document folders, network shares, or system paths like %System32%. |
| TimeWindow | Correlate rapid writes and renames within seconds across high file count. |
| CommandLine | Flag common ransomware tools or functions (vssadmin delete shadows /all /quiet). |
Encryption via custom or open-source tools (e.g., openssl, gpg, aescrypt) recursively targeting user or system directories. Also includes overwrite of existing data and ransom note drops.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | openat, write, rename, unlink |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| FilenamePattern | Look for creation of ransom note files (e.g., READ_ME.txt, HELP_DECRYPT.html). |
| SyscallBurstRate | High write/open/unlink activity in short intervals indicates encryption attempts. |
| DirectoryTargeted | Correlate activity in /home, /etc, /opt, or mounted volumes. |
Userland or kernel-level ransomware encrypting user files (Documents, Desktop) using srm, gpg, or compiled payloads. Often correlated with ransom note creation in multiple directories.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | file encrypted|new file with .encrypted extension|disk write burst |
| Process Creation (DC0032) | macos:unifiedlog | exec srm|exec openssl|exec gpg |
| Field | Description |
|---|---|
| ExtensionPattern | Encrypted files may use .locked, .enc, or ransom-specific extensions. |
| VolumeTargeted | Detect activity targeting mounted external or backup volumes. |
Ransomware encrypts .vmdk, .vmx, .log, or VM config files in VMFS datastores. May rename to .locked or delete/overwrite with encrypted versions. Often correlates with shell commands run through dcui, SSH, or vSphere.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | esxi:vmkernel | rename .vmdk to .*.locked|datastore write spike |
| Command Execution (DC0064) | esxi:shell | openssl|tar|dd |
| Field | Description |
|---|---|
| FileType | Detect renames or write patterns involving .vmdk, .vmx, .nvram. |
| UserContext | Identify shell sessions opened by root or unexpected users outside maintenance window. |
Encryption of cloud storage objects (e.g., S3 buckets) via Server-Side Encryption (SSE-C) or by replacing objects with encrypted variants. May include API patterns like PutObject with SSE-C headers.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Storage Modification (DC0023) | AWS:CloudTrail | PutObject (with SSE-C), UploadPart (SSE-C) |
| Field | Description |
|---|---|
| SSEHeader | SSE-C headers indicate attacker-controlled encryption keys. |
| AffectedBucket | Prioritize logs, backups, or shared document storage buckets. |
| UserAgent | Detect scripted automation vs console-based API behavior. |