Detection of WannaCry using Splunk and Sysmon

Abstract

Lately, ransomware keeps being an important topic of conversation around the information security communities, as well as politics and economics. It has caused major damage in all these sectors and researchers must keep evolving as ransomware doe finding new ways to detect and remove the threat. Ransomware’s sophisticated encryption and propagation schemes limit the security team’s chances of recovering data to almost zero. The researcher investigated the use of Splunk Enterprise combined with Sysmon to detect and explore a specific ransomware threat. For proof of concept, the researcher used a WannaCry sample to detect the first time it was executed. This way, an investigation can be done, and alerts can be configured to better aid the incident response team. This solution detects ransomware file creation through the Splunk search query using Sysmon event codes.

Key Words – Detection, Ransomware, Splunk, Sysmon.