Ransomware detection pipeline using known extensions


Since there is a lot of Ransomware activity going on, I would like to implement this list of know ramsomware extensions:

to be compared with the paths that my file server reports to Graylog as been written, read, or modified.

I created a CSV containing the extension list and other column with “Ransomware ALERT” so if I lookup for the extension the alert appears.

The problem is, the way lookup works is as far I understand “search for the message value on the CSV”, while the thing I want to do is “Look if any of the extensions in the lookup table appears on the path”.

Do you have any idea on how that can be implemented in graylog? I think it could be a powerful ransomware notification system! :smiley:

You might want to extract the extension from the path (using an extractor or a pipeline) in a seperate field.
Then look for the extension field through the CSV using a lookup table.

I ended using a regex to extract the extension from the path, then compare it with the table.
I have to do a separate lookup for full file names and others.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.