By the defense/detection in "layers" approach, over the years I have used LEM/SEM + FIM to attempt ransomware activity detection.
My previous rules detected file creations with file extensions of known ransomware. It was very tedious to create the rules for each extension, and to maintain the group that held them with each new ransomware. For varying reasons for my environment, it was also difficult to find a consistent and acceptable level of false positives.
With renewed executive questions about our ransomware detection and defense posture, I just completed a lengthy and vigilant rebuild of my alert criterion. It's a more simple approach built by forcing rapid file creation and file renaming, examining the resulting events and event fields content, choosing very specific criterion for each, and carefully setting a correlation time at a "watermark" that is representative of "normal" activity for my environment.
I share it here not as a perfect rule, but hopefully for a beneficial "village of expert knowledge" discussion about it and maybe even something that would be useful to others trying to do the same. The redactions are very specific file names on my network that cause false positives.
Looking forward to any resulting dialogue :-)
Craíg
