EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 11Event ID 1Event ID 3T1486critical

Detecting Ransomware with Sysmon

Ransomware leaves a distinctive Sysmon trail across three event types: Sysmon 11 (File Create) captures the mass file encryption wave, Sysmon 1 (Process Create) shows the ransomware binary and its pre-encryption actions (shadow copy deletion, policy changes), and Sysmon 3 (Network Connection) reveals the C2 contact that precedes encryption and the exfiltration that often accompanies it in double-extortion attacks.

Severity

Critical

ATT&CK Tactic

Impact

Common attacker usage

Pre-encryption: credential dumping (LSASS access via Sysmon 10), lateral movement to backup and file servers, disabling antivirus and backups · Shadow copy deletion: vssadmin.exe delete shadows, wmic shadowcopy delete, or bcdedit.exe /set recoveryenabled No · Mass file encryption: ransomware process creating thousands of encrypted files per minute, often with a new extension (.locked, .enc, .[group_name]) · Double extortion: exfiltration via Sysmon 3 (outbound connections to cloud storage or attacker-controlled servers) before encryption

Investigate immediately if

  • !Sysmon 11 shows a single process creating 50+ files per minute with new or uniform extensions across multiple directories
  • !Sysmon 1 shows vssadmin.exe, wmic.exe, or bcdedit.exe with shadow copy deletion arguments
  • !Sysmon 3 shows a non-browser process making large outbound data transfers to unknown external IPs
  • !Sysmon 1 shows a process with a random or unusual name spawning from an Office application or script host

MITRE ATT&CK

Technique

T1486 · Data Encrypted for Impact

Tactic

Impact

View on attack.mitre.org →

Security Relevance

Modern ransomware is not an automated spray-and-pray attack — it is operator-driven. Attackers gain access weeks before encryption, establish persistence, harvest credentials, map the network, and then deploy ransomware simultaneously across the entire environment. Sysmon detection during the pre-encryption phase (C2 beacon, lateral movement, credential dumping) is the only opportunity to stop the attack before encryption begins. Once Sysmon 11 shows mass file creation, encryption is already underway.

Indicators of Malicious Use

  • Sysmon 11: single process creating 100+ files/minute with consistent new extensions (.[random], .locked, .encrypted) across multiple directories
  • Sysmon 1: vssadmin.exe with 'delete shadows /all /quiet', wmic shadowcopy delete, or bcdedit.exe /set recoveryenabled No — ransomware destroys recovery options before or during encryption
  • Sysmon 1: cmd.exe or powershell.exe with arguments disabling Windows Defender real-time protection
  • Sysmon 3: large sustained outbound data transfer from a non-backup process to external IPs before the file creation spike (exfiltration before encryption)
  • Sysmon 11: ransom note files created in every directory (README.txt, HOW_TO_DECRYPT.txt, RESTORE_FILES.html)
  • Sysmon 1: attacker-deployed tools launched from mapped network drives or admin shares (\\server\C$\Windows\Temp\)

Example Log Entry

// Sysmon Event 1 — Shadow copy deletion (pre-encryption step)
EventID: 1
Image: C:\Windows\System32\vssadmin.exe
CommandLine: vssadmin.exe delete shadows /all /quiet
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: cmd.exe /c vssadmin delete shadows /all /quiet

// Sysmon Event 11 — Mass file encryption (100+ per minute)
EventID: 11
Image: C:\Users\Public\svchost32.exe
TargetFilename: C:\Users\jsmith\Documents\Q4_Report.docx.locked
CreationUtcTime: 2026-05-16 03:14:22.881

// Sysmon Event 3 — Pre-encryption exfiltration
EventID: 3
Image: C:\Users\Public\svchost32.exe
DestinationIp: 91.213.8.201
DestinationPort: 443
DestinationHostname: storage-bucket-28.mega.io

Investigation Steps

  1. 1.Determine encryption start time: find the first Sysmon 11 event from the ransomware process. Everything before this timestamp is the attacker's pre-encryption activity window — search for Sysmon 10 (credential dumping), Sysmon 3 (C2 beaconing), and Sysmon 1 (lateral movement tools) in that window.
  2. 2.Identify the ransomware binary: the Image in the mass Sysmon 11 events is the ransomware process. Check Sysmon 1 for its creation — when was it created, what spawned it, and from what path? This reveals the delivery mechanism.
  3. 3.Check for shadow copy deletion: search Sysmon 1 for vssadmin.exe, wmic.exe with shadowcopy arguments, and bcdedit.exe with recoveryenabled. These almost always precede or accompany encryption.
  4. 4.Assess exfiltration scope: search Sysmon 3 for large outbound transfers from the ransomware process or its C2 tool in the hours before encryption. Destination IPs and hostnames identify the exfiltration server — this determines double-extortion exposure.
  5. 5.Map lateral spread: check all hosts for the same ransomware binary hash (Sysmon 1 IMPHASH or SHA256). Ransomware is deployed to many hosts simultaneously — isolate all affected systems before attempting recovery.
  6. 6.Preserve forensic artifacts before recovery: image affected hosts if possible. The ransom note, encrypted file extensions, and any dropper binaries identify the ransomware family and may inform decryption options if a decryptor is later released.

Check your logs for detecting ransomware with sysmon — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Common False Positives

  • Legitimate backup or file sync tools can create high file creation rates — verify the creating Image is not a known backup agent (Veeam, Backup Exec, Windows Backup, cloud sync clients)
  • Antivirus quarantine operations move many files rapidly — verify against known security product paths
  • Mass file operations by IT scripts (file migration, cleanup) during maintenance windows — correlate with change management records

Remediation

  • Isolate all affected hosts immediately — ransomware spreads laterally; every connected host is a potential target until isolated
  • Do not restart encrypted hosts — some ransomware stores the encryption key in memory; a memory dump before restart may enable recovery
  • Check all backup integrity before attempting recovery — ransomware specifically targets backups; verify they predate the intrusion
  • Reset all domain credentials — the pre-encryption phase almost certainly included credential dumping; all harvested credentials remain valid
  • Engage a DFIR firm if the pre-encryption window was longer than 24 hours — assume the attacker has full domain knowledge and persistent access beyond the ransomware binary
  • Perform double krbtgt reset if a DC was compromised during the pre-encryption phase

Related Event IDs

11Sysmon File Create — mass encryption file creation spike
1Sysmon Process Create — ransomware binary, shadow copy deletion, tool execution
3Sysmon Network Connection — C2 beaconing and pre-encryption exfiltration
13Sysmon Registry Value Set — Defender tamper, AppLocker bypass, and policy disable via registry
4688Native process creation — vssadmin, wmic, bcdedit shadow copy deletion
1102Audit log cleared — ransomware often clears event logs post-encryption

Related Detection Guides

Detecting Cobalt Strike with SysmonCredential DumpingRansomware IndicatorsDetecting Lateral Movement with SysmonLiving off the Land (LOLBins)

Frequently Asked Questions

Why does shadow copy deletion always appear before ransomware encryption?
Volume Shadow Copies are Windows's built-in recovery mechanism — they allow files to be restored to a previous version without a backup. Ransomware operators delete shadow copies first because it eliminates the easiest recovery path and forces victims to pay for the decryptor. The deletion command (vssadmin delete shadows /all /quiet) appears as a Sysmon 1 event and is one of the most reliable pre-encryption indicators. Alerting on vssadmin.exe or wmic shadowcopy delete in any context outside of a known backup window is a high-confidence ransomware indicator, even if encryption hasn't started yet.
How do I detect ransomware before encryption starts using Sysmon?
The pre-encryption phase is the detection window. Alert on: (1) Sysmon 10 — LSASS access from unexpected processes (credential harvesting). (2) Sysmon 3 — regular beacon intervals from non-browser processes (C2 established weeks before encryption). (3) Sysmon 1 — vssadmin, wmic shadowcopy, or bcdedit with recovery-disabling arguments. (4) Sysmon 11 — ransomware tools dropped to admin shares or temp directories. Any of these individually warrants investigation; all of them together in the same environment is a ransomware pre-attack pattern. The Sysmon 11 mass file creation spike is the last alert — encryption is already underway.
Is the Sysmon Event 11 file creation spike always ransomware?
No. Legitimate high-volume file creation includes: backup agents (Veeam, Backup Exec) during backup jobs, file synchronization tools (OneDrive, Dropbox) after a large sync, antivirus quarantine operations, and IT migration scripts. The distinguishing factors are: (1) the creating process — unknown or unexpected binary vs. a known backup agent; (2) the file extensions — consistent new extension appended to all files vs. normal file operations; (3) the directory pattern — ransomware touches many directories across the filesystem; (4) the time of day — ransomware often deploys overnight or on weekends to maximize impact before IT responds.

Detect Detecting Ransomware with Sysmon in your logs

Upload an .evtx file from servers, domain controllers, or endpoints — EventPeeker automatically detects detecting ransomware with sysmon patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Scan for Detecting Ransomware with Sysmon
← All detection guides·Analyze EVTX Logs Free →