Ransomware Double Extention
Query
// Based on https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml
// Add your most common file extentions in this list
let OriginalExtension = dynamic(['.pdf', '.docx', '.jpg', '.xlsx', '.pptx', '.txt']);
DeviceFileEvents
| where ActionType == "FileRenamed"
// Extract file extension
| extend PreviousFileExtension = extract("\\.([a-z])*", 0, PreviousFileName)
| extend NewFileExtension = extract(@'\.(.*)', 0, FileName)
// File extension must be changed
| where PreviousFileExtension != NewFileExtension
| where PreviousFileExtension has_any (OriginalExtension)
| extend RansomwareCheck = strcat(PreviousFileExtension, ".")
// Check if the new file extension contains a possible ransomware extension (e.g. .docx.encrypted or .pdf.ezz
| where NewFileExtension contains RansomwareCheck
// Remove duplicate file extensions to limit false positives (e.g. .pdf.pdf or .docx.docx)
| extend DuplicateExtensionCheck = split(NewFileExtension, ".")
| where tostring(DuplicateExtensionCheck[1]) != tostring(DuplicateExtensionCheck[2])
// Group by device and process to count renamed files
| summarize
FileCount = count(),
RenamedFiles = make_list(FileName),
Timestamp = arg_max(Timestamp, *)
by DeviceName, InitiatingProcessAccountName
// Filter for more than 10 files renamed
| where FileCount > 10
// Display results
| project-reorder
Timestamp,
FileCount,
DeviceName,
InitiatingProcessAccountName,
RenamedFiles,
PreviousFileExtension,
PreviousFileName,
NewFileExtension,
FileNameAbout this query
Explanation
This query is designed to detect potential ransomware activity by identifying files that have been renamed with an additional extension, a common tactic used by ransomware to encrypt files. Here's a simple breakdown of what the query does:
-
Targeted Files: It focuses on files with common extensions like
.pdf,.docx,.jpg,.xlsx,.pptx, and.txt. -
Action Detection: It looks for file rename actions, specifically where the file's extension has changed.
-
Ransomware Pattern: The query checks if the new file extension includes the original extension followed by another extension (e.g.,
.docx.encrypted), which is typical of ransomware behavior. -
False Positive Reduction: To minimize false positives, it filters out cases where the new extension is simply a repetition of the original (e.g.,
.pdf.pdf). -
Bulk Renaming: It identifies instances where more than 10 files have been renamed in this manner by the same device or user, which could indicate a ransomware attack.
-
Output: The query outputs details such as the timestamp, number of files renamed, device name, user account, and the list of renamed files for further investigation.
This approach helps in early detection of ransomware attacks by flagging suspicious file renaming patterns that align with known ransomware techniques.
Details

Bert-Jan Pals
Released: February 16, 2025
Tables
Keywords
Operators
MITRE Techniques