Ransomware

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential ransomware activity through unusual file encryption or modification patterns, which could indicate an adversary attempting to encrypt and lock user data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to ransomware attacks early, before significant data loss or operational disruption occurs.

YARA Rule

rule ransomware : svpeng android
{
	meta:
		author = "Fernando Denis https://twitter.com/fdrg21"
		reference = "https://koodous.com/"
		description = "Ransomware"
		in_the_wild = true

	strings:
		$a =  {6e 64 20 79 6f 75 72 27 73 20 64 65 76 69 63 65 20 77 69 6c 6c 20 72 65 62 6f 6f 74 20 61 6e 64}
		$b = "ADD_DEVICE_ADMI"

	condition:
		$a and $b
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled Backup Job Execution
  Description: A legitimate scheduled backup job (e.g., using Veeam, Acronis, or Windows Backup) is executing and encrypting files as part of a routine backup process.
  Filter/Exclusion: Check for process.name containing “Veeam” or “Acronis” and ensure the process is associated with a known backup schedule.

• Scenario: System File Encryption by Antivirus Tool
  Description: An antivirus tool (e.g., Bitdefender, Kaspersky, or Windows Defender) is encrypting system files as part of a malware scan or quarantine process.
  Filter/Exclusion: Check for process.name containing “Bitdefender” or “Windows Defender” and verify the process is associated with a known security tool.

• Scenario: Admin Task for File Encryption for Compliance
  Description: An administrator is using a script or tool (e.g., Microsoft’s BitLocker, or a custom script using PowerShell) to encrypt files for compliance or data protection purposes.
  Filter/Exclusion: Check for process.name containing “BitLocker” or “PowerShell” and verify the script or tool is authorized and part of a documented compliance process.

• Scenario: User-Initiated File Encryption for Personal Use
  Description: A user is encrypting personal files using a tool like 7-Zip or VeraCrypt for personal data protection.
  Filter/Exclusion: Check for process.name containing “7-Zip” or “VeraCrypt” and verify the user has access rights and the activity is not part of a larger suspicious pattern.

• Scenario: Log File Compression or Archiving
  Description: A system or application is compressing log files (e.g., using WinRAR, 7-Zip, or a custom script) as part of