Potential Linux Ransomware Note Creation Detected

  1[metadata]
  2creation_date = "2023/03/20"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/02/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a
 11file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of
 12malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the
 13decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a
 14new file extension is added to the file.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.file*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Potential Linux Ransomware Note Creation Detected"
 21risk_score = 47
 22rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af"
 23setup = """## Setup
 24
 25This rule requires data coming in from Elastic Defend.
 26
 27### Elastic Defend Integration Setup
 28Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 29
 30#### Prerequisite Requirements:
 31- Fleet is required for Elastic Defend.
 32- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 33
 34#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 35- Go to the Kibana home page and click "Add integrations".
 36- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 37- Click "Add Elastic Defend".
 38- Configure the integration name and optionally add a description.
 39- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 40- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 41- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 42- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 43For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 44- Click "Save and Continue".
 45- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 46For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 47"""
 48severity = "medium"
 49tags = [
 50    "Domain: Endpoint",
 51    "OS: Linux",
 52    "Use Case: Threat Detection",
 53    "Tactic: Impact",
 54    "Data Source: Elastic Defend",
 55    "Resources: Investigation Guide",
 56]
 57type = "eql"
 58query = '''
 59sequence by process.entity_id, host.id with maxspan=1s
 60  [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
 61   and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*") and
 62   file.path : (
 63     "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", "/var/log/*", "/var/lib/log/*",
 64     "/var/backup/*", "/var/www/*") and
 65   not process.name : (
 66     "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
 67     "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
 68     "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init", "bun"
 69    )
 70  ] with runs=25
 71  [file where host.os.type == "linux" and event.action == "creation" and
 72   file.name : ("*restore*", "*lock*", "*recovery*", "*read*", "*instruction*", "*how_to*", "*ransom*")
 73  ]
 74'''
 75note = """## Triage and analysis
 76
 77> **Disclaimer**:
 78> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 79
 80### Investigating Potential Linux Ransomware Note Creation Detected
 81
 82Ransomware encrypts files, demanding payment for decryption. Adversaries exploit Linux systems by executing mass file renaming and creating ransom notes. This detection rule identifies such behavior by monitoring rapid file changes and the creation of text files with ransom-related keywords, indicating potential ransomware activity. It focuses on unusual file operations in critical directories, excluding benign processes, to flag suspicious activities.
 83
 84### Possible investigation steps
 85
 86- Review the process.entity_id and host.id to identify the specific process and host involved in the alert. This will help in understanding the scope and potential impact of the activity.
 87- Examine the process.executable path to determine if the executable is located in a suspicious directory such as /tmp, /var/tmp, or /dev/shm, which are commonly used by adversaries for malicious activities.
 88- Analyze the file paths involved in the rename events to assess if critical directories like /home/*/Documents, /root, or /var/www are affected, indicating a higher risk of data compromise.
 89- Check the process.name against the list of excluded benign processes to ensure the activity is not a false positive caused by legitimate software updates or installations.
 90- Investigate the content and metadata of the created .txt files with names containing keywords like *restore*, *lock*, or *ransom* to confirm if they contain ransom notes or instructions, which would indicate a ransomware attack.
 91- Correlate the timing of the file rename and creation events to verify if they occurred within the 1-second timespan, supporting the hypothesis of a rapid mass encryption event typical of ransomware behavior.
 92- Assess the risk score and severity level to prioritize the response and determine if immediate containment actions are necessary to prevent further damage.
 93
 94### False positive analysis
 95
 96- Frequent software updates or installations can trigger the rule due to mass file renaming in critical directories. Exclude processes like dpkg, yum, dnf, and rpm if they are part of regular system maintenance.
 97- Development activities involving compilers or interpreters such as go, java, python, and node may cause false positives. Consider excluding these processes if they are part of routine development work.
 98- Automated backup or logging processes might create files with names similar to ransom notes. Exclude directories or processes associated with legitimate backup or logging activities to reduce false alerts.
 99- System administration tasks using tools like ansible-galaxy or semodule can mimic ransomware behavior. Exclude these processes if they are part of scheduled or known administrative operations.
100- Web server operations in directories like /var/www/* might involve file creation and renaming. Exclude specific web server processes if they are identified as non-threatening and part of regular operations.
101
102### Response and remediation
103
104- Isolate the affected Linux system from the network immediately to prevent further spread of the ransomware and protect other systems.
105- Identify and terminate the malicious process responsible for the mass file renaming and ransom note creation using the process.entity_id and host.id from the alert.
106- Backup any unencrypted files and critical data from the affected system to a secure location to prevent data loss.
107- Conduct a forensic analysis of the affected system to determine the entry point and scope of the ransomware attack, focusing on the directories and processes identified in the alert.
108- Restore the affected system from a known good backup prior to the ransomware attack to ensure system integrity and data recovery.
109- Apply security patches and updates to the affected system and any other vulnerable systems to close any exploited vulnerabilities.
110- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to enhance detection capabilities for similar threats in the future."""
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114
115[[rule.threat.technique]]
116id = "T1486"
117name = "Data Encrypted for Impact"
118reference = "https://attack.mitre.org/techniques/T1486/"
119
120[rule.threat.tactic]
121id = "TA0040"
122name = "Impact"
123reference = "https://attack.mitre.org/tactics/TA0040/"