Suspicious Appended Extension

Aug 12, 2024 · attack.impact attack.t1486 ·

Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.

Sigma rule (View on GitHub)

 1title: Suspicious Appended Extension
 2id: e3f673b3-65d1-4d80-9146-466f8b63fa99
 3status: test
 4description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
 5references:
 6    - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
 7    - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
 8author: frack113
 9date: 2022-07-16
10modified: 2023-11-11
11tags:
12    - attack.impact
13    - attack.t1486
14logsource:
15    product: windows
16    category: file_rename
17    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
18detection:
19    selection:
20        SourceFilename|endswith:
21            - '.doc'
22            - '.docx'
23            - '.jpeg'
24            - '.jpg'
25            - '.lnk'
26            - '.pdf'
27            - '.png'
28            - '.pst'
29            - '.rtf'
30            - '.xls'
31            - '.xlsx'
32        TargetFilename|contains:
33            - '.doc.'
34            - '.docx.'
35            - '.jpeg.'
36            - '.jpg.'
37            - '.lnk.'
38            - '.pdf.'
39            - '.png.'
40            - '.pst.'
41            - '.rtf.'
42            - '.xls.'
43            - '.xlsx.'
44    filter_main_generic:
45        TargetFilename|endswith:
46            # Note: Please add more used extensions by backup or recovery software
47            - '.backup'
48            - '.bak'
49            - '.old'
50            - '.orig'
51            - '.temp'
52            - '.tmp'
53    filter_optional_anaconda:
54        TargetFilename|contains: ':\ProgramData\Anaconda3\'
55        TargetFilename|endswith: '.c~'
56    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
57falsepositives:
58    - Backup software
59level: medium

References

Analysis CHAOS.rar (MD5: 290C887999CD7D055DF166753EA1005B) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Read More
Cyble - Onyx Ransomware Renames Its Leak Site To “VSOP”

Cyble shares its insights into the recent activities of the Onyx ransomware group and its new leak site name.

Read More

Suspicious Appended Extension

Sigma rule (View on GitHub)

References

Analysis CHAOS.rar (MD5: 290C887999CD7D055DF166753EA1005B) Malicious activity - Interactive analysis ANY.RUN

Cyble - Onyx Ransomware Renames Its Leak Site To “VSOP”

Related rules