Ragnar Locker ransomware detections

Action1: actionname = "Process started" AND (PROCESSNAME endswith "msiexec.exe") Action2: actionname = "File created" AND ((OBJECTNAME contains "\Program Files (x86)" OR OBJECTNAME contains "\Program Files") AND OBJECTNAME endswith "VirtualAppliances\va.exe") AND HOSTNAME = Action1.HOSTNAME Action3: actionname = "Process started" AND PROCESSNAME = Action2.OBJECTNAME AND HOSTNAME = Action1.HOSTNAME Action4: actionname = "Process started" AND (PROCESSNAME endswith "vssadmin.exe") AND HOSTNAME = Action1.HOSTNAME Action5: actionname = "Process started" AND (PROCESSNAME endswith "VboxHeadless.exe") AND HOSTNAME = Action1.HOSTNAME sequence:Action1 followedby Action2 within 30s followedby Action3 within 2m followedby Action4 within 2m followedby Action5 within 10m select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action2.HOSTNAME,Action2.MESSAGE,Action2.USERNAME,Action2.DOMAIN,Action2.OBJECTNAME,Action2.PROCESSNAME,Action2.ACCESSLIST,Action2.FILETYPE,Action3.HOSTNAME,Action3.MESSAGE,Action3.COMMANDLINE,Action3.FILE_NAME,Action3.PROCESSNAME,Action3.USERNAME,Action3.PARENTPROCESSNAME,Action3.DOMAIN,Action3.ORIGINALFILENAME,Action3.PARENTPROCESSID,Action3.PROCESSID,Action3.PRODUCT_NAME,Action3.SECURITYID,Action4.HOSTNAME,Action4.MESSAGE,Action4.COMMANDLINE,Action4.FILE_NAME,Action4.PROCESSNAME,Action4.USERNAME,Action4.PARENTPROCESSNAME,Action4.DOMAIN,Action4.ORIGINALFILENAME,Action4.PARENTPROCESSID,Action4.PROCESSID,Action4.PRODUCT_NAME,Action4.SECURITYID,Action5.HOSTNAME,Action5.MESSAGE,Action5.COMMANDLINE,Action5.FILE_NAME,Action5.PROCESSNAME,Action5.USERNAME,Action5.PARENTPROCESSNAME,Action5.DOMAIN,Action5.ORIGINALFILENAME,Action5.PARENTPROCESSID,Action5.PROCESSID,Action5.PRODUCT_NAME,Action5.SECURITYID