Skip to content
Threat Feed
high advisory

Windows High File Deletion Frequency Indicative of Ransomware

This analytic identifies a high frequency of file deletions by monitoring Sysmon EventCodes 23 and 26 for specific file extensions, which can indicate ransomware activity leading to data loss and operational disruption.

This detection identifies suspicious file deletion activity on Windows endpoints, often indicative of ransomware or wiper malware attempting to remove original files after encryption or data theft. The detection leverages Sysmon Event Codes 23 (FileDelete) and 26 (FileDeleteDetected) to monitor the deletion of files with specific extensions commonly targeted by ransomware, such as documents, databases, archives, and backups. The Splunk ES-CU analytic Windows High File Deletion Frequency triggers when a high number (100 or more) of these file deletions are observed within a short timeframe. The targeting of specific file types and the high frequency of deletions are key indicators of malicious activity rather than routine user behavior. This analytic is based on Splunk ES-CU analytic version 13, published on 2026-03-16.

Attack Chain

  1. Initial Access: The attacker gains initial access to the target system, often through phishing, exploitation of vulnerabilities, or compromised credentials.
  2. Privilege Escalation: The attacker escalates privileges to gain greater control over the system.
  3. Data Encryption: The attacker encrypts files on the system and network shares, rendering them inaccessible to the user.
  4. File Deletion: Using a tool or script, the attacker deletes the original, unencrypted files to prevent recovery without paying the ransom. This is tracked via Sysmon event codes 23 and 26.
  5. Ransom Note: The attacker deploys a ransom note demanding payment for the decryption key.
  6. Exfiltration (Optional): In some cases, the attacker may exfiltrate sensitive data before encryption to further extort the victim.
  7. System Disruption: The encrypted files and deleted originals cause significant disruption to business operations.

Impact

Successful execution of ransomware can lead to extensive data loss, significant financial costs (ransom payment, recovery efforts), reputational damage, and business interruption. Ransomware attacks frequently target critical infrastructure, healthcare, and financial institutions, impacting essential services. The deletion of original files after encryption, as detected by this analytic, exacerbates the damage by making data recovery without a decryption key impossible.

Recommendation

  • Enable Sysmon with File Delete and File Delete Detected event logging (Event ID 23 and 26) to provide the necessary data for this detection.
  • Deploy the provided Sigma rule High File Deletion Frequency to your SIEM to detect potential ransomware activity. Tune the threshold (currently 100) based on your environment's baseline.
  • Investigate any alerts generated by this detection, focusing on the process name, user, and affected files to determine if the activity is malicious.
  • Implement the filter windows_high_file_deletion_frequency_filter in your environment to reduce false positives, considering your organization's specific software usage patterns.
  • Consult the referenced Mandiant, VirusTotal, and Microsoft articles for more information on ransomware threats and attack techniques.

Detection coverage 1

High File Deletion Frequency

high

Detects a high number of file deletions within a short period, indicative of ransomware or wiper activity.

sigma tactics: impact techniques: T1485 sources: file_event, windows

Detection queries are available on the platform. Get full rules →