Data Encrypted for Impact
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted and often renamed or tagged with specific file markers. Adversaries may also encrypt critical system files, disk partitions, MBR, virtual machines hosted on ESXi, or cloud storage objects.
let TimeWindow = 1h;
let RenameThreshold = 50;
let ShadowDeleteCommands = dynamic(["vssadmin delete shadows", "vssadmin.exe delete shadows", "wmic shadowcopy delete", "bcdedit /set {default} recoveryenabled no", "bcdedit /set {default} bootstatuspolicy ignoreallfailures", "wbadmin delete catalog", "wbadmin delete systemstatebackup"]);
// Detection 1: Mass file rename/encryption activity
let MassRename = DeviceFileEvents
| where Timestamp > ago(TimeWindow)
| where ActionType in ("FileRenamed", "FileModified", "FileCreated")
| where FileName endswith_any (".encrypted", ".locked", ".crypt", ".enc", ".ransom", ".cry", ".lock64", ".cuba", ".avos", ".avos2", ".play", ".blackbyte")
| summarize
RenamedFiles = count(),
UniqueExtensions = dcount(FileName),
FileTypes = make_set(tostring(split(FileName, ".")[-1]), 10),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine
| where RenamedFiles > RenameThreshold;
// Detection 2: Shadow copy deletion and recovery sabotage
let ShadowDelete = DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| where ProcessCommandLine has_any (ShadowDeleteCommands)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName;
// Combine both signals
MassRename
| join kind=leftouter (ShadowDelete) on DeviceName
| extend ShadowsDeleted = isnotempty(ProcessCommandLine)
| extend RansomwareConfidence = case(
RenamedFiles > 500 and ShadowsDeleted, "critical",
RenamedFiles > 200 or ShadowsDeleted, "high",
RenamedFiles > RenameThreshold, "medium",
"low")
| project FirstSeen, LastSeen, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RenamedFiles, UniqueExtensions, FileTypes, ShadowsDeleted, RansomwareConfidence
| sort by RenamedFiles descData Sources
Required Tables
False Positives
- Legitimate encryption tools (BitLocker, VeraCrypt, 7-Zip) encrypting large numbers of files during backup operations
- File migration or archival tools that rename files with new extensions during processing
- Anti-ransomware tools that create decoy/canary files with ransomware-like extensions for honeypot detection
- Disaster recovery testing that involves intentional shadow copy deletion as part of DR exercises
References (10)
- https://attack.mitre.org/techniques/T1486/
- https://www.us-cert.gov/ncas/alerts/TA16-091A
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
- https://www.us-cert.gov/ncas/alerts/TA17-181A
- https://www.us-cert.gov/ncas/alerts/AA18-337A
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-cycle/
- https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
Unlock Pro Content
Get the full detection package for T1486 including response playbook, investigation guide, and atomic red team tests.