Cipher.exe is being used to delete data across multiple drives, indicating potential ransomware activity aimed at obliterating evidence before encryption. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware attacks targeting healthcare organizations before data is irreversibly lost.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "cipher.exe"
// Looking for /w flag for deleting
| where ProcessCommandLine has "/w"
| summarize CommandCount = dcount(ProcessCommandLine),
make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m)
// Looking for multiple drives in a short timeframe
| where CommandCount > 1
id: afef7d05-0618-4bd7-9fbc-2e94ee764245
name: Ransomware hits healthcare - Cipher.exe tool deleting data
description: |
// Look for cipher.exe deleting data from multiple drives.
This is often performed as an anti-forensic measure prior to encryption.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "cipher.exe"
// Looking for /w flag for deleting
| where ProcessCommandLine has "/w"
| summarize CommandCount = dcount(ProcessCommandLine),
make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 1m)
// Looking for multiple drives in a short timeframe
| where CommandCount > 1
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task Using Cipher.exe
Description: A legitimate system maintenance task, such as disk cleanup or file system repair, may use cipher.exe to delete temporary or corrupted files.
Filter/Exclusion: Check for CommandLine containing /f or /w flags used in disk cleanup, or filter by process parent (e.g., task scheduler or svchost.exe).
Scenario: Antivirus Quarantine Process Using Cipher.exe
Description: Some antivirus tools may use cipher.exe to delete quarantined files from drives as part of their cleanup process.
Filter/Exclusion: Filter by ProcessName containing known antivirus tools (e.g., McAfee, Kaspersky, Bitdefender) or check for FileHash matches of known quarantined files.
Scenario: Admin Task to Delete Old Patient Records
Description: An administrator may use cipher.exe to delete old or obsolete patient records from multiple drives as part of data management.
Filter/Exclusion: Filter by User field (e.g., admin, healthcare_admin) or check for CommandLine containing /d or /p flags used for data deletion tasks.
Scenario: Backup Job Using Cipher.exe for Data Purge
Description: A backup job may include a step to delete old backups or temporary files using cipher.exe before archiving new data.
Filter/Exclusion: Filter by ProcessParent (e.g., backupexec.exe, vssadmin.exe) or check for CommandLine containing /p for purge operations.
Scenario: System File Corruption Repair Using Cipher.exe
Description: Windows may use cipher.exe as part of the System File Checker (SFC) or DISM