Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-10-27
  • Author: Rod Soto, David Dorsey, Splunk
  • ID: f52f6c43-05f8-4b19-a9d3-5b8c56da91c2

Narrative

Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.

Detections

Name Technique Type
AWS Detect Users creating keys with encrypt policy without MFA Data Encrypted for Impact TTP
AWS Detect Users with KMS keys performing encryption S3 Data Encrypted for Impact Anomaly

Reference

source | version: 1