Triggers

  • A series of file modifications typically associated with ransomware.

Possible Root Causes

  • An account is being used to access an organization’s cloud storage and encrypt and rewrite files.
  • In some cases, automated jobs or services that perform widespread file renaming may trigger this detection.

Business Impact

  • Ransomware attacks directly impact access to the organization’s data and are popular among attackers due to the possibility of a quick transition from attack to monetization.
  • After files have been encrypted, the attacker will ask the organization to pay a ransom in return for a promise to provide the encryption key which would allow the files to be decrypted.
  • Even if an organization is willing to pay the ransom, there is no guarantee that the encryption key will be provided by the attacker or that the decryption process will work.
  • Absent the encryption key, an organization must rely on restoration of files from backups.

Steps to Verify

  • Review the integrity of the affected files and determine whether they appear encrypted.