Data Destruction & Ransomware
Detects destructive operations, ransomware-like behavior, and sabotage through data wiping or encryption
8 rules in data_destruction.yml
CRITICAL: 8
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
backup_ | CRITICAL | Backup File Deletion | Deletes backup files or directories, which is a common pre-ransomware action | |
database_ | CRITICAL | Database DROP/TRUNCATE Destructive Command | Executes DROP DATABASE, DROP TABLE, or TRUNCATE commands that destroy data | |
disk_ | CRITICAL | Disk/Partition Wipe with dd | Uses dd to write zeros or random data to disk devices, destroying all data | |
lvm_ | CRITICAL | Volume Group / Logical Volume Removal | Removes LVM volume groups or logical volumes, destroying data | |
mkfs_ | CRITICAL | Filesystem Format on Existing Device | mkfs.ext{2,3,4}/xfs/btrfs/ntfs is invoked against /dev/ | |
ransomware_ | CRITICAL | File Encryption (Ransomware Pattern) | Encrypts files using openssl, gpg, or age in a pattern consistent with ransomware | |
recursive_ | CRITICAL | Recursive Delete of Critical Paths | rm -rf targets a critical system path (/, /boot, /etc, /var, /usr, /home, /opt, /srv, /root). A typo or unbound variable in the path renders the host unrecoverable. | |
shred_ | CRITICAL | Secure File Deletion (shred/wipe) | shred or wipe command targets a file path or templated variable and overwrites the contents irrecoverably. There is no Ansible rollback once shred runs. |