Detect Data Encrypted for Impact in Sumo Logic CSE
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted and often renamed or tagged with specific file markers. Adversaries may also encrypt critical system files, disk partitions, MBR, virtual machines hosted on ESXi, or cloud storage objects.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1486 Data Encrypted for Impact
- Canonical reference
- https://attack.mitre.org/techniques/T1486/
Sumo Detection Query
(_sourceCategory=*windows/sysmon* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventCode = "1" OR EventCode = "11"
| if (EventCode = "1" AND (
toLowerCase(CommandLine) matches "*vssadmin*delete shadows*" OR
toLowerCase(CommandLine) matches "*wmic*shadowcopy delete*" OR
toLowerCase(CommandLine) matches "*bcdedit*recoveryenabled*no*" OR
toLowerCase(CommandLine) matches "*bcdedit*bootstatuspolicy*ignoreallfailures*" OR
toLowerCase(CommandLine) matches "*wbadmin delete catalog*" OR
toLowerCase(CommandLine) matches "*wbadmin delete systemstatebackup*"
), "ShadowDelete", "") as ShadowDeleteType
| if (EventCode = "11" AND (
TargetFilename matches "*.encrypted" OR
TargetFilename matches "*.locked" OR
TargetFilename matches "*.crypt" OR
TargetFilename matches "*.enc" OR
TargetFilename matches "*.ransom" OR
TargetFilename matches "*.cry" OR
TargetFilename matches "*.lock64" OR
TargetFilename matches "*.cuba" OR
TargetFilename matches "*.avos" OR
TargetFilename matches "*.avos2" OR
TargetFilename matches "*.play" OR
TargetFilename matches "*.blackbyte"
), "FileEncrypted", "") as FileEncryptType
| where ShadowDeleteType != "" OR FileEncryptType != ""
| timeslice 1h
| stats
countif(FileEncryptType = "FileEncrypted") as EncryptedFiles,
countif(ShadowDeleteType = "ShadowDelete") as ShadowDeletes,
dcount(TargetFilename) as UniqueFiles,
values(CommandLine) as Commands
by Computer, Image, _timeslice
| where EncryptedFiles > 50 OR ShadowDeletes > 0
| if (EncryptedFiles > 500 AND ShadowDeletes > 0, "critical",
if (EncryptedFiles > 200 OR ShadowDeletes > 0, "high",
if (EncryptedFiles > 50, "medium", "low"))) as RansomwareConfidence
| fields _timeslice, Computer, Image, EncryptedFiles, ShadowDeletes, UniqueFiles, RansomwareConfidence, Commands
| sort by RansomwareConfidence, EncryptedFilesSumo Logic query detecting T1486 ransomware activity by parsing Sysmon EventCode 1 (process creation — shadow copy deletion and recovery sabotage commands) and EventCode 11 (file creation — ransomware extension matches). Applies hourly time bucketing with threshold-based confidence scoring per host and process, matching the logic of the reference KQL/SPL queries. Requires Sysmon data forwarded under a sourceCategory containing 'sysmon' or 'winlogbeat'.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise backup agents (Veeam, Veritas NetBackup, Cohesity) that manage VSS snapshot lifecycles and rename staged backup files with temporary extensions that match ransomware extension patterns during backup jobs
- IT provisioning workflows using bcdedit or wbadmin during OS imaging or recovery partition configuration, especially during large-scale endpoint rollouts that generate bulk process events
- Legitimate encrypted archive creation workflows (GnuPG batch encryption, OpenSSL bulk enc) that produce many .enc or .crypt files when users or scripts encrypt directories of sensitive data for transfer
Other platforms for T1486
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Volume Shadow Copy Deletion via vssadmin
Expected signal: Sysmon Event ID 1: Process creation for vssadmin.exe with 'delete shadows /all /quiet' command line. Windows Security Event ID 4688 with same details. VSS Event ID 8224 in System log confirming shadow deletion.
- Test 2Recovery Sabotage via bcdedit
Expected signal: Sysmon Event ID 1: Two process creation events for bcdedit.exe with /set commands. Windows Security Event ID 4688 with command line auditing. Registry modification events for BCD store changes.
- Test 3Mass File Encryption Simulation
Expected signal: Sysmon Event ID 11: 100 file creation events for .docx files, followed by 100 file rename events to .docx.encrypted. The burst of file operations in a short time window from a single process is the key telemetry pattern.
- Test 4Ransom Note Drop Simulation
Expected signal: Sysmon Event ID 11: 10 file creation events for README_DECRYPT.txt in different directories. The identical filename across multiple directories is the key pattern.
References (10)
- https://attack.mitre.org/techniques/T1486/
- https://www.us-cert.gov/ncas/alerts/TA16-091A
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
- https://www.us-cert.gov/ncas/alerts/TA17-181A
- https://www.us-cert.gov/ncas/alerts/AA18-337A
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-cycle/
- https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
Unlock Pro Content
Get the full detection package for T1486 including response playbook, investigation guide, and atomic red team tests.