Detecting Ransomware Attacks with Splunk

You probably either heard about Ransomware programs that encrypt user files and then ask to transfer money.

Michael Gough, a local “Malware Archeologist” published a blog post about using Splunk.

Michael’s technique relies on enabling File Auditing within the Advanced Auditing features of laterWindows operating systems for the directory of data that you want to monitor.

The author of the article was going to do the same on their test systems, but found that he could get a label file creation time using the data for Windows SYSMON. Sysmon is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. It turns out that ransomware is easy to find if you dial back your spam-filter/anti-virus/discretion and actually click on the links or unzip and run the attached scripts. Sysmon’s output is XML, so it’s relatively easy to parse.

You can read in more detail one example of how Splunk can be used to deal with extortionists here.