Potential Ransomware Note File Dropped via SMB

This rule detects a potential ransomware attack by identifying the creation of files resembling ransomware notes via Server Message Block (SMB) protocol on Windows systems. The rule focuses on identifying an incoming SMB connection (port 445) followed by the creation of files with names commonly associated with ransomware notes, such as “readme”, “lock”, “recover”, and others. This activity is indicative of an attacker attempting to place ransom notes on a compromised system after gaining initial access, often as a precursor to or in conjunction with data encryption. The detection logic leverages Elastic Endpoint data, which provides detailed file creation and network connection events. The rule is designed to catch attackers who are attempting to deploy ransomware remotely via SMB, where they might place ransom notes to inform victims of the attack and provide instructions for recovery. The rule is intended for production environments and covers file events within user profile paths after an SMB connection is established.

Attack Chain

1. The attacker gains initial access to a system on the network (e.g., through phishing, exploitation of a vulnerability, or stolen credentials).
2. The attacker uses the compromised system to initiate an SMB connection to a target Windows host on port 445.
3. The target Windows host accepts the incoming SMB connection.
4. The attacker leverages the SMB connection to write files to the target host.
5. The attacker creates files within user profile directories (e.g., C:\Users*) with names resembling ransomware notes (e.g., “readme.txt”, “how_to_decrypt.hta”).
6. The files are written by the kernel process with PID 4, indicating SMB I/O.
7. The user accesses the created file, discovering the ransomware note.
8. The attacker proceeds with encrypting data, deleting shadow copies, and other ransomware activities (not directly detected by this rule, but likely to follow).

Impact

A successful attack can lead to data encryption, data loss, financial losses due to ransom demands, reputational damage, and business disruption. Depending on the scope of the attack, multiple systems and users could be affected. The rule detects only the placement of ransom notes, which usually precedes full system compromise. Organizations across all sectors are at risk, particularly those with lax security practices or unpatched vulnerabilities.

Recommendation

• Deploy the provided EQL rule to your Elastic Security environment to detect potential ransomware note drops via SMB.
• Investigate any alerts generated by the EQL rule, focusing on the SMB connection source IP, the user ID associated with the file creation, and the contents of the created file.
• Enable Elastic Defend to collect the necessary file and network events for the rule to function correctly, as described in the setup instructions.
• Review historical SMB connection and file creation events to identify any existing patterns of benign activity that may cause false positives, as described in the false positive analysis section of the rule’s documentation.
• Implement network segmentation and access control policies to limit the exposure of SMB shares and prevent lateral movement within the network.
• Consider blocking connections from untrusted IP addresses to prevent potentially malicious SMB connections, based on the identified SMB connection [source.ip].