in ransomware/artifact.lua [3045:3083]
function Ransomware:RenameCheck(eventData)
local previousExtensionKnown = false
local currentExtensionSuspicious = self.IsRansomExtension(eventData)
if utils.TableHasKey(globals.extensionMap, eventData.filePreviousExtension) then
previousExtensionKnown = true
end
local currentExtensionKnown = false
if utils.TableHasKey(globals.extensionMap, eventData.fileExtension) then
currentExtensionKnown = true
end
local renameString = 'DEFAULT_RENAME'
if previousExtensionKnown and currentExtensionSuspicious then
eventData.renameTransition = globals.KNOWN_TO_SUSPICIOUS
renameString = 'KNOWN_TO_SUSPICIOUS'
elseif previousExtensionKnown and not currentExtensionKnown then
eventData.renameTransition = globals.KNOWN_TO_UNKNOWN
renameString = 'KNOWN_TO_UNKNOWN'
elseif previousExtensionKnown and '' == eventData.fileExtension then
eventData.renameTransition = globals.KNOWN_TO_BLANK
renameString = 'KNOWN_TO_BLANK'
elseif not previousExtensionKnown and currentExtensionSuspicious then
eventData.renameTransition = globals.UNKNOWN_TO_SUSPICIOUS
renameString = 'UNKNOWN_TO_SUSPICIOUS'
elseif not previousExtensionKnown and not currentExtensionKnown then
eventData.renameTransition = globals.UNKNOWN_TO_UNKNOWN
renameString = 'UNKNOWN_TO_UNKNOWN'
end
if 'DEFAULT_RENAME' ~= renameString then
alert.RaiseFileAlertMetric(eventData, renameString)
end
return eventData.renameTransition
end