EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

File with Samsam Extension

The following analytic detects file writes with extensions indicative of a SamSam ransomware attack. It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands. If confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage. Immediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents.

Detection Query

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
        values(Filesystem.user) as user
        values(Filesystem.dest) as dest
        values(Filesystem.file_path) as file_path
from datamodel=Endpoint.Filesystem where
Filesystem.file_name IN (
  "*.berkshire",
  "*.keyxml",
  "*.satoshi",
  "*.sophos",
  "*.stubbin"
)
by Filesystem.action Filesystem.dest Filesystem.file_access_time
   Filesystem.file_create_time Filesystem.file_hash
   Filesystem.file_modify_time Filesystem.file_name
   Filesystem.file_path Filesystem.file_acl Filesystem.file_size
   Filesystem.process_guid Filesystem.process_id
   Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| rex field=file_name "(?<file_extension>\.[^\.]+)$"
| search file_extension IN (".berkshire", ".keyxml", ".satoshi", ".sophos", ".stubbin")
| `file_with_samsam_extension_filter`

Author

Rico Valdez, Splunk

Created

2026-03-10

Data Sources

Sysmon EventID 11

Tags

SamSam RansomwareHellcat Ransomware
Raw Content
name: File with Samsam Extension
id: 02c6cfc2-ae66-4735-bfc7-6291da834cbf
version: 11
date: '2026-03-10'
author: Rico Valdez, Splunk
status: production
type: TTP
description: |
    The following analytic detects file writes with extensions indicative of a SamSam ransomware attack.
    It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml.
    This activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands.
    If confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage.
    Immediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents.
data_source:
    - Sysmon EventID 11
search: |
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime
            values(Filesystem.user) as user
            values(Filesystem.dest) as dest
            values(Filesystem.file_path) as file_path
    from datamodel=Endpoint.Filesystem where
    Filesystem.file_name IN (
      "*.berkshire",
      "*.keyxml",
      "*.satoshi",
      "*.sophos",
      "*.stubbin"
    )
    by Filesystem.action Filesystem.dest Filesystem.file_access_time
       Filesystem.file_create_time Filesystem.file_hash
       Filesystem.file_modify_time Filesystem.file_name
       Filesystem.file_path Filesystem.file_acl Filesystem.file_size
       Filesystem.process_guid Filesystem.process_id
       Filesystem.user Filesystem.vendor_product
    | `drop_dm_object_name(Filesystem)`
    | `security_content_ctime(lastTime)`
    | `security_content_ctime(firstTime)`
    | rex field=file_name "(?<file_extension>\.[^\.]+)$"
    | search file_extension IN (".berkshire", ".keyxml", ".satoshi", ".sophos", ".stubbin")
    | `file_with_samsam_extension_filter`
how_to_implement: You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
known_false_positives: |
    Because these extensions are not typically used in normal operations, you should investigate all results.
references: []
drilldown_searches:
    - name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: The $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$
    risk_objects:
        - field: user
          type: user
          score: 50
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: file_name
          type: file_name
tags:
    analytic_story:
        - SamSam Ransomware
        - Hellcat Ransomware
    asset_type: Endpoint
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog