Vql ransomware impact scoping Windows.NTFS.MFT

impact.vql

/*
### Drive Ransom note stats
*/
SELECT
    strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive,
    FileName as RansomeNote,
    --min(item=Created0x10) as EarliestCreation,
    --max(item=Created0x10) as LatestCreation,
    min(item=LastModified0x10) as EarliestModified,
    max(item=LastModified0x10) as LatestModified,
    --min(item=LastRecordChange0x10) as EarliestRecordChange,
    --max(item=LastRecordChange0x10) as LatestRecordChange,
    count() as Total
FROM source(artifact="Windows.NTFS.MFT")
WHERE FileName = 'RANSOMNOTEFILENAME'
GROUP BY Drive

/*
### Drive Ransom file stats
*/
SELECT
    strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive,
    split(string=FileName,sep_string='.') [-1] as Extension,
    --min(item=Created0x10) as EarliestCreation,
    --max(item=Created0x10) as LatestCreation,
    min(item=LastModified0x10) as EarliestModified,
    max(item=LastModified0x10) as LatestModified,
    min(item=LastRecordChange0x10) as EarliestRecordChange,
    max(item=LastRecordChange0x10) as LatestRecordChange,
    count() as Total
FROM source(artifact="Windows.NTFS.MFT")
WHERE FileName =~ 'RAMSOMEXT$'
GROUP BY Drive