Elastic Security Detection Rules

Potential Linux Ransomware Note Creation Detected

Last updated a year ago on 2025-02-04
Created 3 years ago on 2023-03-20

About

This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: ImpactData Source: Elastic DefendLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

Data Encrypted for Impact (T1486)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.file*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
sequence by process.entity_id, host.id with maxspan=1s
  [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
   and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*") and
   file.path : (
     "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", "/var/log/*", "/var/lib/log/*",
     "/var/backup/*", "/var/www/*") and
   not process.name : (
     "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
     "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
     "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init", "bun"
    )
  ] with runs=25
  [file where host.os.type == "linux" and event.action == "creation" and
   file.name : ("*restore*", "*lock*", "*recovery*", "*read*", "*instruction*", "*how_to*", "*ransom*")
  ]

Install detection rules in Elastic Security

Detect Potential Linux Ransomware Note Creation Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).