Determine Encryption Scope and Affected Systems

Actions

1. 1.Run a Velociraptor hunt across all endpoints to detect encrypted file extensions: `Windows.Search.FileFinder` with glob pattern `C:\**\*.{locked,encrypted,crypt,enc}` -- summarize results by host and directory.
2. 2.Check file server shares for encryption markers: `Get-ChildItem -Path \\fileserver\shares -Recurse -Include "*.locked","*.encrypted","*.crypt","DECRYPT_*.txt","README_RANSOM*" | Group-Object Directory | Select Name, Count`.
3. 3.Query EDR for file rename storms indicating encryption activity: `DeviceFileEvents | where ActionType == "FileRenamed" | summarize RenameCount=count() by DeviceName, bin(Timestamp, 5m) | where RenameCount > 100`.
4. 4.Determine the encryption start and end time per host by analyzing the earliest and latest file modification timestamps on encrypted files. This reveals the attack propagation sequence.
5. 5.Assess backup impact: verify backup systems (Veeam, Commvault, DFSR) were not encrypted. Check backup catalogs: `Get-VBRBackup | Select Name, LastModified, IsConsistent` and verify integrity of recent restore points.

Queries

DeviceFileEvents | where Timestamp > ago(48h) | where ActionType == "FileRenamed" | extend NewExtension=tostring(split(FileName, ".")[-1]) | where NewExtension in ("locked","encrypted","crypt","enc","ransom") | summarize EncryptedFiles=count(), FirstEncryption=min(Timestamp), LastEncryption=max(Timestamp) by DeviceName | order by FirstEncryption asc

index=edr sourcetype=crowdstrike:events event_type=FileWritten file_extension IN ("locked","encrypted","crypt") | stats dc(aid) as affected_hosts count as encrypted_files earliest(_time) as first_seen latest(_time) as last_seen by ComputerName | sort first_seen

DeviceEvents | where Timestamp > ago(48h) | where ActionType has "AntivirusDetection" | where AdditionalFields has "Ransom" | summarize DetectionCount=count() by DeviceName, AdditionalFields | order by DetectionCount desc