Query Details

Detects KillNets Ransomware note and the file extension that has been used to encrypt files

Kill Net Ransomware Detection

Query

let killnetRansomNote = "ru.txt";
let killnetRansomExtension = ".killnet";
DeviceFileEvents
| where FileName =~ killnetRansomNote or FileName endswith killnetRansomExtension
| project-reorder Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine

About this query

Detects KillNets Ransomware note and the file extension that has been used to encrypt files

Query Information

Description

Detects KillNets Ransomware note and the file extension that has been used to encrypt files.

References

Defender XDR

Sentinel

let killnetRansomNote = "ru.txt";
let killnetRansomExtension = ".killnet";
DeviceFileEvents
| where FileName =~ killnetRansomNote or FileName endswith killnetRansomExtension
| project-reorder TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine

Explanation

This query is designed to detect files associated with the KillNet ransomware on a device. It specifically looks for two indicators:

  1. The presence of a ransomware note file named "ru.txt".
  2. Files that have been encrypted with the ".killnet" extension.

The query searches through device file events to find any files that match these criteria. It then organizes the results to show the timestamp of the event, the name of the device where the file was found, the name of the file, the path to the folder containing the file, and the command line of the process that initiated the file event. This helps in identifying and analyzing potential ransomware activity on the network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

let=~orendswithproject-reorder

Actions

GitHub