---
title: Cloud storage object written with suspected ransomware file name
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Cloud storage object written with
  suspected ransomware file name
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Cloud storage object written with suspected ransomware file name
Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1486-data-encrypted-for-impact](https://attack.mitre.org/techniques/T1486) 
## Goal{% #goal %}

Detect cloud storage objects written with file names commonly associated with ransom notes.

## Strategy{% #strategy %}

This rule monitors cloud storage file activity (OCSF class `6005`) for object create and update operations across AWS S3, Azure Storage, and GCP Cloud Storage. It triggers when files are written with names that combine keywords such as `decrypt`, `recover`, `restore`, `encrypt`, or `ransom` with common text file extensions (`.txt`, `.rtf`, `.md`, `.html`). These naming patterns match ransom note files that ransomware operators deploy after encrypting data. The rule excludes writes performed by `AWSService` principals to reduce false positives from legitimate AWS service operations.

## Triage and response{% #triage-and-response %}

- Review the file name and storage bucket targeted by the write from source IP `{{@ocsf.src_endpoint.ip}}` to determine if the file matches a known ransomware note pattern or a legitimate file.
- Identify the actor responsible for the write operation and verify whether the account credentials may have been compromised.
- Check for a high volume of additional object writes or overwrites from the same source IP around the same time, which may indicate active encryption of storage objects.
- Examine whether other storage buckets in the same account have been targeted by similar write operations.
- Review access logs for the affected storage account to determine if objects were read or downloaded in bulk prior to the ransom note being written, which may indicate data exfiltration preceding encryption.
- Contain the affected credentials by revoking active sessions and rotating access keys if the activity is confirmed as malicious.
