How to Detect Ransomware Activity Using Wazuh

Ransomware remains one of the most operationally disruptive forms of cyberattack because it targets both data availability and business continuity.

Modern ransomware campaigns are no longer simple encryption events; they are multi-stage intrusions that include reconnaissance, credential theft, lateral movement, and finally mass encryption or data exfiltration.

Detecting ransomware activity using Wazuh requires shifting from signature-based thinking to behavior-based detection.

Instead of looking for a known malware hash, you are identifying patterns of system abuse that consistently precede or accompany encryption activity.

At a high level, Wazuh enables detection by correlating endpoint telemetry (process execution, file changes, authentication logs) with rule-based alerts and behavioral thresholds.

Why Ransomware Detection Matters

The financial and operational impact of ransomware continues to escalate, with attackers increasingly targeting backups, hypervisors, and cloud workloads in addition to traditional file systems.

According to the Verizon Data Breach Investigations Report (DBIR), ransomware is now one of the most common malware actions in breaches, often linked to initial access via stolen credentials or phishing.

From a detection standpoint, the critical issue is speed. Once encryption begins at scale, recovery becomes significantly more complex and expensive.

This is why early behavioral detection—before or during encryption bursts—is far more valuable than post-incident forensics.

Microsoft’s threat intelligence research also highlights that ransomware operators frequently disable security tools and attempt privilege escalation before deploying payloads, reinforcing the need for endpoint-level monitoring and correlation.

Understanding How Ransomware Behaves in Systems

Ransomware does not appear as a single action; it manifests as a sequence of correlated behaviors.

In Wazuh, these behaviors can be translated into detectable signals using event monitoring and correlation rules.

Rapid file encryption or mass file renaming

One of the earliest indicators is a sudden spike in file modifications.

Thousands of write operations in a short window, especially across user directories or shared drives, is highly anomalous.

Creation of ransom notes (README files)

Most ransomware families drop text files such as “README.txt” or “DECRYPT_INSTRUCTIONS.html” in multiple directories.

This creates a distinct file creation pattern that can be monitored via File Integrity Monitoring (FIM).

Deletion of shadow copies or backups

Attackers frequently execute commands like vssadmin delete shadows to prevent recovery.

This is a strong behavioral indicator when observed in Windows Event Logs.

Suspicious PowerShell or script execution

Ransomware often uses PowerShell, batch scripts, or WMI to execute payloads and disable defenses.

Obfuscated commands and encoded scripts are particularly high signal.

Privilege escalation attempts

Before encryption begins, attackers often attempt to escalate privileges to SYSTEM or domain admin levels to maximize impact.

Unusual process spawning chains

Legitimate processes spawning unusual children (e.g., winword.exe → powershell.exe → cmd.exe) often indicate macro-based or staged execution.

These behaviors map directly to telemetry sources that Wazuh can ingest and analyze, especially Windows Event Logs, Sysmon, and auditd on Linux systems.

Key Wazuh Capabilities for Ransomware Detection

Wazuh provides multiple layers of detection that are particularly effective against ransomware-style behavior.

Each capability contributes to building a behavioral detection pipeline rather than relying on static signatures.

File Integrity Monitoring (FIM)

FIM is one of the most important components for ransomware detection.

It tracks file creation, modification, and deletion in real time or near real time.

• Detects rapid file modification bursts typical of encryption activity
• Identifies mass renaming or extension changes (e.g., .locked, .encrypted)
• Monitors directories commonly targeted by ransomware (user folders, shared drives)

Related guides:

• How to Configure File Integrity Monitoring (FIM) in Wazuh
• How to Reduce False Positives in Wazuh

Security Event Monitoring

Wazuh aggregates logs from multiple sources to build a unified view of endpoint activity:

• Windows Event Logs (process creation, authentication events)
• Sysmon (detailed process and network telemetry)
• Linux auditd (system calls, file access patterns)

This telemetry is essential for identifying execution chains and privilege escalation attempts that precede encryption activity.

Related guides:

• How to Monitor Active Directory With Wazuh
• How to Monitor Kubernetes Using Wazuh

Rule-Based Threat Detection

Wazuh uses decoders and correlation rules to identify suspicious patterns across events.

• Detects known ransomware behaviors (e.g., shadow copy deletion commands)
• Correlates multiple low-level events into a high-confidence alert
• Enables custom rules for environment-specific ransomware behavior baselines

This is where tuning becomes critical—overly broad rules can generate noise, while well-designed correlation rules improve detection accuracy significantly.

Related guide:

• How to Create Custom Detection Rules in Wazuh

Rootcheck / Vulnerability Detection

Ransomware rarely succeeds without exploiting weaknesses in configuration, outdated software, or exposed services.

Wazuh’s vulnerability detection and rootcheck capabilities help identify:

• Unpatched systems commonly targeted for initial access
• Misconfigurations that allow privilege escalation
• Weak security baselines that increase attack surface

This capability is preventative but directly tied to ransomware risk reduction.

Active Response

Active Response enables automated mitigation actions when suspicious behavior is detected:

• Blocking malicious IP addresses
• Killing suspicious processes
• Isolating compromised endpoints from the network

When tuned correctly, this can interrupt ransomware execution mid-chain—before encryption spreads laterally.

Related guide:

• How to Fix Wazuh Certificate Errors (relevant for ensuring secure agent-to-manager communication during response actions)

For deeper technical mapping of ransomware behaviors to detection logic, MITRE ATT&CK provides a structured framework for adversary techniques, including execution, persistence, and impact techniques commonly used in ransomware campaigns.

Configuring Wazuh for Ransomware Detection

A practical ransomware detection setup in Wazuh relies on combining endpoint telemetry, file monitoring, and log correlation across Windows and Linux systems.

The objective is to ensure that high-signal behaviors (mass file changes, suspicious process execution, and backup deletion attempts) are captured early and consistently.

Enabling File Integrity Monitoring on sensitive directories (documents, network shares, databases)

File Integrity Monitoring (FIM) should be configured to watch directories that ransomware is most likely to target.

These typically include:

• User profile directories (Documents, Desktop, Downloads)
• Network shared drives (SMB/NFS shares)
• Database storage paths (SQL data directories, application storage volumes)

In Wazuh, this involves defining monitored paths and enabling real-time or near-real-time scanning.

For ransomware detection, the key is not just monitoring but ensuring frequency sensitivity is high enough to detect rapid modification bursts without overwhelming the system.

Related guide:

• How to Configure File Integrity Monitoring (FIM) in Wazuh

Configuring Windows Sysmon integration for process tracking

Sysmon provides granular visibility into process creation, network connections, and file events on Windows endpoints.

When integrated with Wazuh, it becomes one of the most valuable data sources for ransomware detection.

Key telemetry to enable:

• Process creation events (to track execution chains)
• Command-line logging (to detect obfuscated PowerShell or encoded payloads)
• Parent-child process relationships (to identify suspicious spawning patterns)

This is critical for identifying early-stage ransomware behavior such as macro execution or script-based loaders.

Related guide:

• How to Monitor Active Directory With Wazuh

Forwarding security logs from endpoints to Wazuh manager

Centralized log ingestion ensures that endpoint activity can be correlated across systems.

On Windows, this includes:

• Security Event Logs (authentication, privilege changes)
• Sysmon logs (process and network activity)

On Linux systems:

• auditd logs (system calls, file access patterns)
• authentication logs (/var/log/auth.log)

Proper forwarding ensures that ransomware activity can be detected not just locally, but across lateral movement paths in the environment.

Setting threshold-based alerts for mass file changes

One of the most effective ransomware detection strategies is threshold-based alerting.

Instead of alerting on every file modification, Wazuh can be configured to trigger alerts when modification rates exceed a defined baseline.

Examples of threshold logic:

• 100+ file modifications within 60 seconds
• Multiple directories affected simultaneously
• High-volume rename operations in a single user profile

These patterns are highly indicative of encryption routines rather than legitimate user activity.

Related guide:

• How to Reduce False Positives in Wazuh

Custom rule creation for ransomware-like behavior patterns

Custom rules allow you to define environment-specific ransomware detection logic.

These rules typically combine multiple weak signals into a single high-confidence alert:

• File mass modification + suspicious process execution
• Shadow copy deletion command + privilege escalation attempt
• Encoded PowerShell execution + rapid file renaming

The goal is correlation rather than isolation—ransomware rarely triggers a single event but instead produces a chain of related anomalies.

Detecting Early Indicators of Ransomware Activity

Early detection is the most critical factor in minimizing ransomware impact.

Instead of waiting for encryption completion, detection systems should focus on identifying precursor behaviors that consistently appear in attack chains.

Wazuh enables this by correlating endpoint telemetry with behavioral rules and time-based thresholds.

Sudden spike in file modification events

A rapid increase in file write operations—especially across multiple directories—is one of the earliest indicators of ransomware activity.

Normal user behavior rarely produces sustained high-frequency file modifications across system-wide paths.

Detection logic typically focuses on:

• Baseline comparison of file change rates per user/system
• Burst detection within short time windows (30–120 seconds)
• Cross-directory modification patterns

Multiple file extensions changing in a short timeframe

Ransomware often renames files en masse, appending extensions such as .locked, .enc, or random strings. This behavior creates a highly detectable pattern when observed at scale.

Wazuh FIM can detect:

• Bulk renaming operations
• Consistent extension changes across file types (documents, images, databases)
• Simultaneous modification of unrelated file formats

Execution of known suspicious tools (e.g., vssadmin, bcdedit)

Attackers frequently disable recovery mechanisms before encryption begins. Common tools include:

• vssadmin delete shadows (removes Volume Shadow Copies)
• bcdedit /set recoveryenabled no (disables recovery options)

These commands are strong indicators of malicious intent when executed outside of maintenance windows.

Abnormal PowerShell usage patterns

PowerShell is frequently abused for ransomware delivery and execution.

Indicators include:

• Encoded command execution (-enc flag)
• Obfuscated scripts using string concatenation or base64 encoding
• PowerShell spawning from unusual parent processes (e.g., Office apps)

Sysmon integration is especially useful here due to its command-line visibility.

Unauthorized encryption-like file entropy changes (via integrations)

While Wazuh does not natively compute file entropy, it can integrate with external tooling or scripts that flag high-entropy file changes—a common characteristic of encrypted data.

When combined with FIM alerts, entropy anomalies can significantly increase detection confidence.

Sample Wazuh rule logic concepts (high-level)

Instead of relying on a single event, ransomware detection rules typically combine multiple signals:

• If file modification rate > threshold AND suspicious process detected → escalate alert
• If backup deletion command observed AND privilege escalation event detected → critical alert
• If PowerShell encoded execution AND rapid file renaming detected → high severity alert

This multi-signal correlation reduces false positives while improving detection accuracy.

Building Custom Wazuh Rules for Ransomware Behavior

Custom rule development is where detection systems transition from generic monitoring to ransomware-specific defense.

In Wazuh, rules can be tailored to reflect the behavior patterns observed in your environment.

Correlating FIM alerts with process execution logs

One of the most effective strategies is linking file activity with process context. For example:

• A process initiating thousands of file modifications in a short period
• A single executable responsible for widespread file renaming
• Correlating Sysmon process creation events with FIM alerts

This allows you to attribute file activity to specific processes, which is essential for identifying ransomware executables.

Related guide:

• How to Create Custom Detection Rules in Wazuh

Creating frequency-based thresholds (e.g., 100+ file changes/minute)

Frequency-based detection is essential for identifying encryption bursts.

Ransomware typically operates faster than human-driven file operations.

Rule design considerations:

• Define time windows (e.g., 1 minute intervals)
• Track file modification counts per process/user
• Trigger alerts when thresholds exceed normal baselines

This approach is particularly effective against file-wiping and encryption-based ransomware families.

Detecting deletion of backup/shadow copies

Backup destruction is a common pre-encryption step. Detection should focus on:

• Windows Shadow Copy deletion commands
• System restore point removal attempts
• Backup service termination events

These events are high-confidence indicators when combined with file modification activity.

Tagging high-risk events for escalation severity

Not all alerts should be treated equally. Severity tagging ensures that correlated ransomware behaviors are prioritized.

Examples of escalation logic:

• Medium severity: isolated suspicious PowerShell execution
• High severity: PowerShell + mass file modifications
• Critical severity: backup deletion + encryption behavior + privilege escalation

This prioritization enables SOC teams to respond faster to high-impact threats and reduce dwell time.

Incident Response Using Wazuh Active Response

Incident response in Wazuh is where detection shifts into containment.

Once ransomware-like behavior is identified, the goal is to interrupt execution, limit lateral movement, and preserve forensic artifacts before they are altered or destroyed.

Isolating affected hosts from the network

One of the most effective containment strategies is network isolation.

Active Response can automatically remove a compromised endpoint from the network by:

• Blocking outbound traffic at the host firewall level
• Disabling network interfaces temporarily
• Segmenting the host into a quarantine VLAN (in advanced environments)

This prevents ransomware from spreading laterally to file shares, domain controllers, or backup systems.

Related guide:

• How to Monitor Active Directory With Wazuh

Blocking suspicious processes or users

When ransomware execution is detected, Wazuh Active Response can terminate malicious processes or disable compromised user accounts.

Typical actions include:

• Killing high-risk processes (e.g., unknown PowerShell instances)
• Disabling user sessions associated with abnormal activity
• Blocking repeated execution attempts from the same binary or script

This is particularly effective when combined with Sysmon-based process tracking and FIM alerts.

Triggering alerts to SIEM dashboards or email/Slack integrations

Incident response is not only automated containment—it also includes rapid visibility for SOC teams. Wazuh can forward alerts to:

• SIEM dashboards for centralized analysis
• Email notifications for high-severity events
• Slack or webhook integrations for real-time incident response coordination

This ensures that human analysts can validate and escalate incidents quickly when automated response is triggered.

Preserving forensic evidence for investigation

Before containment actions fully neutralize a threat, preserving forensic evidence is critical.

Wazuh can help retain:

• Process execution logs (Sysmon/event logs)
• File integrity snapshots (pre/post modification states)
• Authentication and privilege escalation records

This data is essential for reconstructing the attack chain, identifying initial access vectors, and improving future detection rules.

Monitoring Dashboards and Alert Visualization

Dashboards in Wazuh provide a centralized view of ransomware-related activity across endpoints, allowing analysts to move from raw logs to actionable intelligence.

Ransomware-related alert filters

Filtering is the first step in identifying meaningful signals. Analysts typically apply filters such as:

• File Integrity Monitoring alerts
• Process execution anomalies
• Backup deletion or shadow copy removal events

These filters help isolate ransomware-related behavior from general system noise.

Related guide:

• How to Reduce False Positives in Wazuh

Timeline views of file modification bursts

Timeline visualization is critical for detecting encryption phases.

Ransomware activity often appears as a sharp spike in file modifications within a short time window.

Dashboards can show:

• Sudden increases in file change events
• Sequential file renaming across directories
• Correlated process execution during burst windows

This allows analysts to pinpoint the exact start of encryption activity.

Endpoint-level risk scoring

Wazuh dashboards can aggregate multiple signals into a risk profile per endpoint:

• Frequency of suspicious process executions
• Number of FIM alerts generated
• Presence of privilege escalation attempts

Endpoints with multiple correlated indicators are assigned higher risk scores, helping prioritize response efforts.

Correlation between multiple alert types

The most effective ransomware detection comes from correlation across event types:

• Process execution + file modification bursts
• PowerShell anomalies + backup deletion attempts
• Authentication failures + privilege escalation attempts

Correlation reduces false positives and improves confidence in identifying true ransomware behavior.

Best Practices to Prevent Ransomware Spread

While detection is essential, prevention significantly reduces the likelihood of successful ransomware execution and propagation.

Segmenting critical systems

Network segmentation limits lateral movement.

Critical systems such as domain controllers, backups, and databases should be isolated from general user networks.

This ensures that even if one endpoint is compromised, ransomware cannot easily spread across the infrastructure.

Restricting execution of unauthorized scripts

Many ransomware attacks rely on script-based execution (PowerShell, WMI, batch files).

Organizations should:

• Restrict PowerShell execution policies
• Block unsigned scripts
• Use application whitelisting where possible

This reduces the attack surface for initial payload execution.

Regular backups with offline storage

Backups remain the most reliable recovery method, but they must be protected:

• Maintain offline or immutable backups
• Avoid network-connected backup storage where possible
• Regularly test restoration procedures

Without this control, ransomware often targets backups first to increase leverage.

Least privilege enforcement

Limiting user permissions reduces ransomware impact:

• Users should not have local admin rights by default
• Privileges should be role-based and time-limited
• Service accounts should be tightly controlled

This reduces the ability of ransomware to escalate privileges or disable defenses.

Continuous monitoring of endpoint behavior

Ongoing monitoring using Wazuh ensures that suspicious behavior is detected early.

Continuous telemetry collection enables:

• Early detection of anomalies
• Faster incident response
• Improved rule tuning over time

Conclusion

A robust ransomware detection strategy is not built on a single control but on layered defense.

With Wazuh, organizations gain visibility across endpoint activity, file integrity changes, and security event logs, enabling detection of ransomware at multiple stages of the attack lifecycle.

By combining:

• File Integrity Monitoring for rapid change detection
• Log-based behavioral analysis for execution tracking
• Custom correlation rules for attack pattern recognition
• Active Response for immediate containment

security teams can significantly reduce dwell time and limit operational impact.

Ultimately, the effectiveness of ransomware defense depends on continuous tuning, environment-specific rule development, and integration between detection and automated response systems.