Antivirus Ransomware Detection

calendar Nov 4, 2024 · attack.t1486  ·
Share on: linkedin copy

Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Sigma rule (View on GitHub)

 1title: Antivirus Ransomware Detection
 2id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
 3status: test
 4description: |
 5    Detects a highly relevant Antivirus alert that reports ransomware.
 6    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.    
 7references:
 8    - https://www.nextron-systems.com/?s=antivirus
 9    - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
10    - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
11    - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
12    - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
13    - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
14    - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
15author: Florian Roth (Nextron Systems), Arnim Rupp
16date: 2022-05-12
17modified: 2024-11-02
18tags:
19    - attack.t1486
20logsource:
21    category: antivirus
22detection:
23    selection:
24        Signature|contains:
25            - 'BlackWorm'
26            - 'Chaos'
27            - 'Cobra'
28            - 'ContiCrypt'
29            - 'Crypter'
30            - 'CRYPTES'
31            - 'Cryptor'
32            - 'CylanCrypt'
33            - 'DelShad'
34            - 'Destructor'
35            - 'Filecoder'
36            - 'GandCrab'
37            - 'GrandCrab'
38            - 'Haperlock'
39            - 'Hiddentear'
40            - 'HydraCrypt'
41            - 'Krypt'
42            - 'Lockbit'
43            - 'Locker'
44            - 'Mallox'
45            - 'Phobos'
46            - 'Ransom'
47            - 'Ryuk'
48            - 'Ryzerlo'
49            - 'Stopcrypt'
50            - 'Tescrypt'
51            - 'TeslaCrypt'
52            - 'WannaCry'
53            - 'Xorist'
54    condition: selection
55falsepositives:
56    - Unlikely
57level: critical

References

Related rules

to-top