Detects KillNets Ransomware note and the file extension that has been used to encrypt files
Kill Net Ransomware Detection
Query
let killnetRansomNote = "ru.txt";
let killnetRansomExtension = ".killnet";
DeviceFileEvents
| where FileName =~ killnetRansomNote or FileName endswith killnetRansomExtension
| project-reorder Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLineAbout this query
Detects KillNets Ransomware note and the file extension that has been used to encrypt files
Query Information
Description
Detects KillNets Ransomware note and the file extension that has been used to encrypt files.
References
Defender XDR
Sentinel
let killnetRansomNote = "ru.txt";
let killnetRansomExtension = ".killnet";
DeviceFileEvents
| where FileName =~ killnetRansomNote or FileName endswith killnetRansomExtension
| project-reorder TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine
Explanation
This query is designed to detect files associated with the KillNet ransomware on a device. It specifically looks for two indicators:
- The presence of a ransomware note file named "ru.txt".
- Files that have been encrypted with the ".killnet" extension.
The query searches through device file events to find any files that match these criteria. It then organizes the results to show the timestamp of the event, the name of the device where the file was found, the name of the file, the path to the folder containing the file, and the command line of the process that initiated the file event. This helps in identifying and analyzing potential ransomware activity on the network.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators