Query Details
Ransomware Double Extention
Query
## Ransomware Double Extention
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1486 | Data Encrypted for Impact |https://attack.mitre.org/techniques/T1486/ |
#### Description
Detects possible ransomware file changes by adding a custom extension to the encrypted files, such as ".docx.encrypted" or ".pdf.ezz". This is a technique that is used by multiple Ransomware groups, they do not change the currenct extention, but they add a new one to the current file.
A false positive could be a administrator that changes a lot of files.
#### Risk
Ransomware is being deployed in your environment.
#### References
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml
- https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
- https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
## Defender For Endpoint
```
// Based on https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml
// Add your most common file extentions in this list
let OriginalExtension = dynamic(['.pdf', '.docx', '.jpg', '.xlsx', '.pptx', '.txt']);
DeviceFileEvents
| where ActionType == "FileRenamed"
// Extract file extension
| extend PreviousFileExtension = extract("\\.([a-z])*", 0, PreviousFileName)
| extend NewFileExtension = extract(@'\.(.*)', 0, FileName)
// File extension must be changed
| where PreviousFileExtension != NewFileExtension
| where PreviousFileExtension has_any (OriginalExtension)
| extend RansomwareCheck = strcat(PreviousFileExtension, ".")
// Check if the new file extension contains a possible ransomware extension (e.g. .docx.encrypted or .pdf.ezz
| where NewFileExtension contains RansomwareCheck
// Remove duplicate file extensions to limit false positives (e.g. .pdf.pdf or .docx.docx)
| extend DuplicateExtensionCheck = split(NewFileExtension, ".")
| where tostring(DuplicateExtensionCheck[1]) != tostring(DuplicateExtensionCheck[2])
// Display results
| project-reorder
Timestamp,
PreviousFileExtension,
PreviousFileName,
NewFileExtension,
FileName,
DeviceName,
InitiatingProcessAccountName
```
## Sentinel
```
// Based on https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_rename/file_rename_win_ransomware.yml
let OriginalExtension = dynamic(['.pdf', '.docx', '.jpg', '.xlsx', '.pptx', '.txt']);
DeviceFileEvents
| where ActionType == "FileRenamed"
// Extract file extension
| extend PreviousFileExtension = extract("\\.([a-z])*", 0, PreviousFileName)
| extend NewFileExtension = extract(@'\.(.*)', 0, FileName)
// File extension must be changed
| where PreviousFileExtension != NewFileExtension
| where PreviousFileExtension has_any (OriginalExtension)
| extend RansomwareCheck = strcat(PreviousFileExtension, ".")
// Check if the new file extension contains a possible ransomware extension (e.g. .docx.encrypted or .pdf.ezz
| where NewFileExtension contains RansomwareCheck
// Remove duplicate file extensions to limit false positives (e.g. .pdf.pdf or .docx.docx)
| extend DuplicateExtensionCheck = split(NewFileExtension, ".")
| where tostring(DuplicateExtensionCheck[1]) != tostring(DuplicateExtensionCheck[2])
// Display results
| project-reorder
TimeGenerated,
PreviousFileExtension,
PreviousFileName,
NewFileExtension,
FileName,
DeviceName,
InitiatingProcessAccountName
```
Explanation
The query is designed to detect possible ransomware activity known as "Ransomware Double Extension." This technique involves adding a custom extension to encrypted files without changing the original extension, such as ".docx.encrypted" or ".pdf.ezz". The query checks for file renaming events where the previous file extension is different from the new file extension, and the previous extension matches a list of common file types. It then checks if the new extension contains the previous extension followed by a dot, indicating a possible ransomware extension. The query also removes duplicate file extensions to reduce false positives. The results include information about the file renaming event, such as timestamps, file names, device names, and the account associated with the process that initiated the renaming. The query can be used in Microsoft Defender for Endpoint or Azure Sentinel.
Details
Bert-Jan Pals
Released: March 8, 2023
Tables
Keywords
Operators