Windows High File Deletion Frequency Indicative of Ransomware
This analytic identifies a high frequency of file deletions by monitoring Sysmon EventCodes 23 and 26 for specific file extensions, which can indicate ransomware activity leading to data loss and operational disruption.
This detection identifies suspicious file deletion activity on Windows endpoints, often indicative of ransomware or wiper malware attempting to remove original files after encryption or data theft. The detection leverages Sysmon Event Codes 23 (FileDelete) and 26 (FileDeleteDetected) to monitor the deletion of files with specific extensions commonly targeted by ransomware, such as documents, databases, archives, and backups. The Splunk ES-CU analytic Windows High File Deletion Frequency triggers when a high number (100 or more) of these file deletions are observed within a short timeframe. The targeting of specific file types and the high frequency of deletions are key indicators of malicious activity rather than routine user behavior. This analytic is based on Splunk ES-CU analytic version 13, published on 2026-03-16.
Attack Chain
- Initial Access: The attacker gains initial access to the target system, often through phishing, exploitation of vulnerabilities, or compromised credentials.
- Privilege Escalation: The attacker escalates privileges to gain greater control over the system.
- Data Encryption: The attacker encrypts files on the system and network shares, rendering them inaccessible to the user.
- File Deletion: Using a tool or script, the attacker deletes the original, unencrypted files to prevent recovery without paying the ransom. This is tracked via Sysmon event codes 23 and 26.
- Ransom Note: The attacker deploys a ransom note demanding payment for the decryption key.
- Exfiltration (Optional): In some cases, the attacker may exfiltrate sensitive data before encryption to further extort the victim.
- System Disruption: The encrypted files and deleted originals cause significant disruption to business operations.
Impact
Successful execution of ransomware can lead to extensive data loss, significant financial costs (ransom payment, recovery efforts), reputational damage, and business interruption. Ransomware attacks frequently target critical infrastructure, healthcare, and financial institutions, impacting essential services. The deletion of original files after encryption, as detected by this analytic, exacerbates the damage by making data recovery without a decryption key impossible.
Recommendation
- Enable Sysmon with File Delete and File Delete Detected event logging (Event ID 23 and 26) to provide the necessary data for this detection.
- Deploy the provided Sigma rule
High File Deletion Frequencyto your SIEM to detect potential ransomware activity. Tune the threshold (currently 100) based on your environment's baseline. - Investigate any alerts generated by this detection, focusing on the process name, user, and affected files to determine if the activity is malicious.
- Implement the filter
windows_high_file_deletion_frequency_filterin your environment to reduce false positives, considering your organization's specific software usage patterns. - Consult the referenced Mandiant, VirusTotal, and Microsoft articles for more information on ransomware threats and attack techniques.
Detection coverage 1
High File Deletion Frequency
highDetects a high number of file deletions within a short period, indicative of ransomware or wiper activity.
Detection queries are available on the platform. Get full rules →