This article answers the following question about the Ransom Note detections:
- Why are old files from my machine/backups suddenly being detected as ransom note?
In some cases, old ransomnote files from previous Ransomware Infections might be accidentally restored from backups or has been sitting on the machine for a while without being scanned by Manual Scan or Scheduled Scan. However, aside from this, there are also scenarios like below:
- Old ransom notes from older variants of ransomware doesn’t have a specific pattern for detection yet. This would usually happen if a threat actor is using Ransomware as a Service (RaaS) model to target and infect their victims. Indicators of Compromise (IOC) for these types of attacks should of course be detected by Security Vendors upon discovery, however, contents of a RaaS ransom note may not always be consistent with the one created by the Threat Author. Since it is used by an entirely different entity who purchased/is subscribed to the tool, they can create their own ransom note with their own contact information. In the event that these notes have NOT been submitted as samples to Security Vendors, pattern specific for detections of these customized ransom note might not be created until later when a sample has been collected.
- This also leads to panic and confusion with some of the customers that previously were victims of ransomware infection. If they have been infected 2 years ago and suddenly get detections of ransom note for the same variant of ransomware, it’s natural for them to be alarmed. However, some very quick ways to identify if you’re infected is to;
- Check the path of the detection, this would let you know if this directory has been recently restored from previous backups and you can also;
- Confirm if encrypted files are present on the same folder as the ransom note.
- Check the ‘Date Created’ property of the file to verify when this was generated.