in ransomware/artifact.lua [3685:3770]
function Production.ExtendEventThresholdCheck(processData)
local numberOfCreates = 0
local numberOfCreateExtensions = 0
local percentOfCreates = 0.0
local numberOfRenames = 0
local numberOfRenameExtensions = 0
local uniqueDirectories = {}
local totalUniqueDirectories = 0
for _, fileEvents in pairs(processData.createExtensions) do
numberOfCreateExtensions = numberOfCreateExtensions + 1
numberOfCreates = numberOfCreates + #fileEvents
for _, fileEvent in pairs(fileEvents) do
local currentDir = fileEvent.filePath:match('^(.*)\\')
if not utils.TableHasKey(uniqueDirectories, currentDir) then
uniqueDirectories[currentDir] = 1
totalUniqueDirectories = totalUniqueDirectories + 1
else
uniqueDirectories[currentDir] = uniqueDirectories[currentDir] + 1
end
end
end
percentOfCreates = (numberOfCreates / #processData.events) * 100
for _, fileEvents in pairs(processData.renameExtensions) do
numberOfRenameExtensions = numberOfRenameExtensions + 1
numberOfRenames = numberOfRenames + #fileEvents
end
if (numberOfRenames == 0 and numberOfCreates == 0) then
return false
end
if not (percentOfCreates >= 70) then
return false
end
if (numberOfCreates ~= 0) then
if not (numberOfCreateExtensions <= 2) then
return false
end
end
if (numberOfRenames ~= 0) then
if not (numberOfRenameExtensions == 1) then
return false
end
end
if not (totalUniqueDirectories >= (#processData.events / 2.2)) then
return false
end
utils.DebugLog('Extending Event Threshold for PID: ' .. processData.processId)
return true
end