Signs of Ransomware File Activity
- An internal host is connected to one or more file servers via the SMB protocol and is rapidly reading files and writing files of roughly the same size and with roughly the same file name
- This pattern is highly correlated with how ransomware interacts with file servers
- Given the potential for damage, the threat score for detections of this type is high
- The certainty score is driven by the volume and persistence of the observed activity
Possible Root Cause of a Ransomware File Activity
- The internal host is infected with a variant of ransomware
- A benign application on the host is rapidly reading files from and writing files to a networked file share
- A user is compiling a large set of source files located on a file share, causing a pattern of reading and writing files that exhibits a similar pattern
Business Impact of a Ransomware File Activity
- Ransomware encrypts files and transmits the encryption key to the attacker
- The attacker then attempts to extract a ransom (typically payable in an untraceable cyber currency) from the organization in return for a promise to release the encryption key which allows the files to be recovered
- Even if your organization is willing to pay the ransom, there is no guarantee that the encryption key will be provided by the attacker
- Absent the encryption key, files will have to be restored from a backup and any changes since the last backup will be lost
How to Investigate Ransomware File Activity
- Examine the sample files referenced in the detection and see if the original files are missing and the files that have replaced them carry strange but similar file names or file extensions
- Check the directory in which the files reside for ransom notes with instructions on how to pay the ransom and retrieve the encryption key
