Triggers when a know ransomware note is found
Ransomware Note Found
Query
let RansomwareNotes = externaldata(RansomwareNote: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-notes.txt"] with (format="txt", ignoreFirstRecord=True);
let RansomwareNotesAddition = dynamic(['thisisanadditionalransomwarenote.txt']); // Add your missing / new extensions in this list.
let FalsePostiveWhitelist = dynamic(['whitelist.txt']); // Add the files that trigger a lot of false positives to this whitelist.
let RansomwareNoteRaw = RansomwareNotes
| extend RansomwareNoteRaw = replace_string(RansomwareNote, "*", '')
| distinct RansomwareNoteRaw;
DeviceFileEvents
| where (FileName has_any (RansomwareNoteRaw) or FileName has_any (RansomwareNotesAddition)) and not(FileName has_any (FalsePostiveWhitelist))
| project-reorder Timestamp, FileName, FolderPath, DeviceName, InitiatingProcessAccountNameAbout this query
Triggers when a know ransomware note is found
Query Information
Description
This query triggers when a known ransomware note is found.
Risk
The file might indicate that files are encryped for ransomware.
References
Defender XDR
Sentinel
let RansomwareNotes = externaldata(RansomwareNote: string)[@"https://raw.githubusercontent.com/eshlomo1/Ransomware-NOTE/main/ransomware-notes.txt"] with (format="txt", ignoreFirstRecord=True);
let RansomwareNotesAddition = dynamic(['.thisisanadditionalransomwarenote']); // Add your missing / new extensions in this list.
let FalsePostiveWhitelist = dynamic(['.xxxxxxxxx']); // Add the files that trigger a lot of false positives to this whitelist.
let RansomwareNoteRaw = RansomwareNotes
| extend RansomwareNoteRaw = replace_string(RansomwareNote, "*", '')
| distinct RansomwareNoteRaw;
DeviceFileEvents
| where (FileName has_any (RansomwareNoteRaw) or FileName has_any (RansomwareNotesAddition)) and not(FileName has_any (FalsePostiveWhitelist))
| project-reorder TimeGenerated, FileName, FolderPath, DeviceName, InitiatingProcessAccountName
Explanation
This query is designed to detect the presence of known ransomware notes on a device, which could indicate that files have been encrypted due to a ransomware attack. Here's a simplified breakdown of the query:
-
Data Source: The query pulls a list of known ransomware note filenames from an external source (a GitHub repository) and stores them in a variable called
RansomwareNotes. -
Additional Notes: It allows for the addition of any new or missing ransomware note filenames through a list called
RansomwareNotesAddition. -
False Positives: To reduce false alarms, there's a whitelist (
FalsePostiveWhitelist) where filenames that frequently trigger false positives can be added. -
Processing: The query processes the list of ransomware notes to remove any wildcard characters and ensures each note is distinct.
-
Event Filtering: It then checks the
DeviceFileEventstable for any file events where the filename matches any of the known ransomware notes or additional notes, while excluding any filenames in the whitelist. -
Output: The results are organized to show the timestamp, filename, folder path, device name, and the account name of the process that initiated the file event.
This query helps in identifying potential ransomware attacks by flagging files that match known ransomware note patterns, allowing for further investigation and response.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators