このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect ransomware impact operations by correlating ransom note deployment, system service disruption, evidence destruction, and defense evasion within the same execution context.
Strategy
This correlation rule identifies ransomware impact operations by detecting combinations of the following activity groups:
- Ransom Note Deployment: Creation of ransom note files with characteristic naming patterns (for example, RESTORE, RECOVER, HOW_TO, RANSOM) under common user and system directories
- Service Disruption: Stopping system services using systemctl, indicating attempts to disable security tools, backups, or database services before encryption
- Evidence Destruction: Deletion of recently executed binaries, process self-deletion, deletion of system logs, or shell history tampering (deletion, truncation, or symlink to /dev/null)
The rule triggers different severity levels based on the combination of detected activities:
| Case | Severity | Condition |
|---|
| Full Ransomware Attack | Critical | Ransom Note Deployment, Service Disruption, and Evidence Destruction |
| Ransomware with Evidence Destruction | High | Ransom Note Deployment and Evidence Destruction |
| Ransomware with Service Disruption | High | Ransom Note Deployment and Service Disruption |
Triage & Response
Isolate affected systems: Immediately disconnect the affected host and container (or pod) from the network — do not shut down, as memory forensics may be needed.
Activate incident response: Engage the ransomware response team and begin documenting all indicators of compromise.
Identify ransomware family: Investigate the impacted process(es) and analyze ransom note contents to determine the ransomware variant.
Assess encryption scope: Determine which files and systems are affected and verify backup system integrity.
Preserve evidence: Capture memory dumps and forensic images before any remediation attempts.
Validate backups: Confirm backup integrity and determine recovery options without paying ransom.
Investigate attack vector: Trace how the ransomware was delivered (for example, exploitation, compromised credentials, lateral movement).
Hunt for additional compromises: Search for ransomware artifacts on other systems using the same indicators.
Plan recovery: Develop a recovery strategy using clean backups and system rebuilds while deploying enhanced monitoring controls.
