AhnLab EPP

Subscribe
Download 352
Last updated Dec 2, 2025

Ransomware Detected

Detects ransomware files in AhnLab EPP V3 malware alert logs.

Query

The AhnLab V3 antivirus engine detects ransomware with signatures such as Ransomware/Win.Gunra.C5761824, Ransomware/Win.Hades.R374581, Trojan/Win32.ClopRansom.R356895, Ransomware/Win.BlackByte.R455522, Malware/Win32.Ransom.C4006138, Win-Trojan/Gandcrab.Exp, etc. Therefore, alerts are extracted when the signature value starts with Ransomware/ or contains .Ransom. or Gandcrab.

| search in(signature, "Ransomware/*", "*.Ransom.*", "*Gandcrab*")

Message

  • AhnLab EPP V3 Ransomware Detected: Host $host_ip, Malware $signature

Output Field Order

  • _log_time, hostname, host_ip, emp_name, dept_name, signature, file_path, file_status, md5

Threat Analysis

  • Ransomware encrypts system files and demands payment for decryption. Even a single infected endpoint can lead to widespread disruption and significant data loss across the organization.
  • In many cases, V3 may detect ransomware immediately upon file introduction, but there is still a possibility that encryption attempts, payload execution, or propagation activities have already begun on the affected endpoint.
  • If file encryption by ransomware has been observed, the attack may continue with additional module installation, backup deletion, and further encryption, requiring immediate isolation and remediation.

False Positive

  • False positives may occur during internal ransomware simulation exercises or malware analysis testing performed by the security team.

Response Actions

  • Immediately isolate the affected endpoint from the network and check for ongoing encryption or abnormal file modifications.
  • Review process lists, task scheduler entries, and service creation records to identify ransomware processes or related activities.
  • Determine whether additional endpoints in the same user account scope or network segment show signs of infection, and investigate organization-wide spread if necessary.
  • Verify backup integrity, initiate recovery procedures, and analyze the infection vector (vulnerability exploitation, spear-phishing, remote access compromise, etc.) to prevent recurrence.

MITRE ATT&CK