Triggers when a known ransomware extension has been found
Ransomware Extension Found
Query
let RansomwareExtensionsInput = externaldata(Extension: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-extension-list.txt"] with (format="txt", ignoreFirstRecord=True);
let RansomwareExtensionAddition = dynamic(['.misingfromabovelist']); // Add your missing / new extensions in this list.
let RansomwareExtensions = materialize (
RansomwareExtensionsInput
| distinct Extension
| extend RawExtention = substring(Extension, 1,
string_size(Extension))
);
DeviceFileEvents
| where FileName has_any (RansomwareExtensions) or FileName has_any (RansomwareExtensionAddition)
| summarize
arg_max(Timestamp, *),
EncryptedFiles = make_set(FileName),
Locations = make_set(FolderPath)
by DeviceName
| extend TotalFileEncrypted = array_length(EncryptedFiles)
| project-reorder
Timestamp,
TotalFileEncrypted,
EncryptedFiles,
Locations,
InitiatingProcessAccountName
| sort by TotalFileEncryptedAbout this query
Explanation
This query is designed to detect potential ransomware activity by identifying files with known ransomware extensions. Here's a simplified explanation:
-
Purpose: The query aims to trigger an alert when a file with a known ransomware extension is detected. This could indicate that files have been encrypted as part of a ransomware attack.
-
Data Source: It uses a list of known ransomware file extensions from an external source (a GitHub repository) and allows for additional extensions to be manually added.
-
Process:
- It retrieves the list of known ransomware extensions.
- It checks for any files in the system that have these extensions.
- If such files are found, it collects information about them, including the file names and their locations.
-
Output:
- The query summarizes the findings by device, showing the most recent event, the total number of encrypted files, the names of these files, and their locations.
- It also includes the account name of the process that initiated the file changes.
- The results are sorted by the number of encrypted files, highlighting devices with the most potential ransomware activity.
-
Risk: The presence of these files could indicate that a ransomware attack has occurred, encrypting files to demand a ransom.
This query is implemented in both Microsoft Defender XDR and Sentinel environments, with slight variations in the timestamp field used (Timestamp for Defender XDR and TimeGenerated for Sentinel).
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators
MITRE Techniques