Ransomware File Activity

View all detections
Ransomware File Activity


  • An internal host is connected to one or more file servers via the SMB protocol and is rapidly reading files and writing files of roughly the same size and with roughly the same file name
  • This pattern is highly correlated with how ransomware interacts with file servers

Possible Root Causes

  • The internal host is infected with a variant of ransomware
  • A benign application on the host is rapidly reading files from and writing files to a networked file share
  • A user is compiling a large set of source files located on a file share, causing a pattern of reading and writing files that exhibits a similar pattern

Business Impact

  • Ransomware encrypts files and transmits the encryption key to the attacker
  • The attacker then attempts to extract a ransom (typically payable in an untraceable cyber currency) from the organization in return for a promise to release the encryption key which allows the files to be recovered
  • Even if your organization is willing to pay the ransom, there is no guarantee that the encryption key will be provided by the attacker
  • Absent the encryption key, files will have to be restored from a backup and any changes since the last backup will be lost

Steps to Verify

  • Examine the sample files referenced in the detection and see if the original files are missing and the files that have replaced them carry strange but similar file names or file extensions
  • Check the directory in which the files reside for ransom notes with instructions on how to pay the ransom and retrieve the encryption key


How can we differentiate between ransomware activity and legitimate file operations?

Look for unusual patterns such as rapid file reads/writes, altered file names/extensions, and the presence of ransom notes. Legitimate operations typically don't exhibit these patterns simultaneously.

What are the first steps to take when ransomware file activity is detected?

Immediately isolate the affected system, examine sample files for encryption signs, and check for ransom notes. Notify the cybersecurity team to initiate an incident response.

Should an organization ever consider paying the ransom?

Paying the ransom is risky and not recommended as it does not guarantee file recovery and might encourage further malicious attacks. It's crucial to focus on prevention and robust response strategies instead.

How can backups help in responding to a ransomware attack?

Regular and secure backups can be a lifeline in ransomware situations, allowing organizations to restore encrypted data without succumbing to ransom demands. It's essential that backups are updated frequently and stored securely, ideally disconnected from the main network.

How can ransomware be detected proactively?

Utilize advanced threat detection systems like the Vectra AI Platform, monitor for unusual network traffic, and regularly conduct security audits.

What role does employee training play in preventing ransomware attacks?

Training employees in recognizing phishing emails and other common attack vectors is crucial in preventing initial ransomware infiltration.