How to Use Splunk to Detect Ransomware Attacks

Ransomware has become a huge problem in the last few years, and the task of detecting it remains a challenge. This post provides some examples of SIEM rules for detecting common ransomware behaviors, including high-frequency file deletion, process termination and service termination, as well as ransomware extensions files and more.

Add Ransomware Detection Rules to Your SIEM

The security teams using a SIEM solution (such as Splunk, Elk or ArcSight) to detect various stages of a ransomware attack.

• Can these rules detect most ransomware attacks?
• Are there any other log sources that can provide additional coverage?

How to Use Splunk to Detect Ransomware Attacks

Companies use different software to detect ransomware attacks, such as AV, endpoint detection and response (EDR), and SIEM solutions. In the case of a ransomware attack, your Splunk SIEM can help in multiple stages of the infection, including detecting:

• Execution parameters the ransomware runs with
• Privilege escalation, e.g., user account control bypass using CMSTPLUA COM interface
• Disablement of Windows behavior monitoring
• High-frequency file deletion, process termination and service termination
• High-frequency creation of ransomware notes