Before a ransomware group encrypts your data, they steal it. Double extortion — threaten victims with both encryption and data publication — is now the baseline across virtually all active ransomware operations. That means there’s a window between initial access and encryption during which the attackers are actively moving data out. That window is your best detection opportunity, and it’s one most teams underinvest in.
This guide covers the tools ransomware affiliates use most frequently for staging and exfiltration, and the detection strategies that have proven effective across enterprise and managed detection environments.
Why Exfiltration Is Hard to Catch by Default
The challenge is that the tools used for ransomware exfiltration are mostly legitimate. rclone is a widely used open-source cloud storage sync tool. WinSCP is a popular Windows SFTP client. MEGAsync is the official MEGA cloud storage desktop application. FileZilla is an FTP client used by developers worldwide.
None of these tools are inherently malicious. Most SIEM and EDR platforms don’t alert on them by default because doing so would generate enormous false-positive volumes in environments where they’re legitimately deployed. That creates a coverage gap that threat actors understand and exploit.
Effective detection requires context: who ran this tool, from where, for how long, and to what destination?
Tool 1: rclone
rclone is the exfiltration tool of choice for many modern ransomware affiliates, including Cl0p, The Gentlemen, RansomHub, and LockBit groups. It supports dozens of cloud providers (MEGA, OneDrive, Google Drive, S3, SFTP, FTP, Backblaze B2), can be run as a portable executable from a USB key or user-writable directory, and generates command-line arguments that reveal destination and transfer options.
What to Look For
rclone exfiltration typically involves execution from unusual directories (temp, AppData, Downloads, Desktop), execution under service or system accounts, and large volumes of disk reads preceding the rclone invocation.
Sigma rule — rclone execution from suspicious path:
title: Rclone Execution from Non-Standard Path
id: 8f3a1b9e-4c7d-5a8f-9b2e-6d4c3a7e1f0b
status: experimental
description: Detects rclone execution from non-standard paths often used in ransomware staging
references:
- https://attack.mitre.org/techniques/T1048/
author: SOC Analyst Hub
date: 2026-06-11
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rclone.exe'
filter_legit:
Image|contains:
- '\Program Files\'
- '\Program Files (x86)\'
condition: selection and not filter_legit
timeframe: 15s
falsepositives:
- Legitimate portable rclone installations in developer environments
level: high
tags:
- attack.exfiltration
- attack.t1048
- attack.t1567
Sigma rule — rclone with cloud destination arguments:
title: Rclone Cloud Exfiltration Arguments
id: 9a2b4c5d-6e7f-8a9b-0c1d-2e3f4a5b6c7d
status: experimental
description: Detects rclone command-line arguments indicative of cloud exfiltration
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rclone.exe'
CommandLine|contains:
- 'mega:'
- 'drive:'
- 'onedrive:'
- 's3:'
- '--transfers'
- 'copy '
- 'sync '
condition: selection
falsepositives:
- Legitimate backup jobs using rclone
level: high
tags:
- attack.exfiltration
- attack.t1048
KQL (Microsoft Sentinel / Defender for Endpoint):
DeviceProcessEvents
| where FileName =~ "rclone.exe"
| where not (FolderPath has_any (@"C:\Program Files\", @"C:\Program Files (x86)\"))
| extend HasCloudArgs = ProcessCommandLine has_any ("mega:", "drive:", "onedrive:", "s3:", "copy ", "sync ")
| where HasCloudArgs
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Tool 2: MEGAsync
MEGA cloud storage is a persistent favourite for ransomware groups because of its end-to-end encryption (which breaks network-level DLP), its high upload bandwidth, and its anonymous account creation. MEGAsync can be installed silently and configured programmatically.
What to Look For
New MEGAsync installations coinciding with large outbound data volumes. MEGAsync spawning from unusual parent processes (cmd.exe, powershell.exe, services.exe). High-volume outbound connections to g.api.mega.co.nz or MEGA CDN infrastructure from endpoints not expected to run cloud storage.
Sigma — MEGAsync installation or execution from unusual parent:
title: MEGAsync Execution with Suspicious Parent
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects MEGAsync launched from command-line interpreters or remote execution contexts
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\MEGAsync.exe'
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\services.exe'
condition: selection
falsepositives:
- Scripted installs in software deployment pipelines
level: high
tags:
- attack.exfiltration
- attack.t1567.002
KQL — network connections to MEGA infrastructure:
DeviceNetworkEvents
| where RemoteUrl has "mega.co.nz" or RemoteUrl has "mega.nz"
| where InitiatingProcessFileName !in~ ("chrome.exe", "firefox.exe", "msedge.exe", "brave.exe")
| summarize BytesSent=sum(SentBytes), ConnectionCount=count(),
FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, InitiatingProcessFileName
| where BytesSent > 100000000 // 100MB threshold
| sort by BytesSent desc
Tool 3: WinSCP and FileZilla
WinSCP and FileZilla are used by ransomware actors to exfiltrate to attacker-controlled SFTP or FTP servers. They leave distinctive registry artefacts and process trees.
Sigma — WinSCP execution with command-line (non-interactive):
title: WinSCP Non-Interactive Execution
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects WinSCP running with scripting arguments, indicative of automated exfiltration
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\WinSCP.exe'
CommandLine|contains:
- '/script='
- '/command'
- '/log='
condition: selection
falsepositives:
- Legitimate WinSCP scripted transfers in IT environments
level: medium
tags:
- attack.exfiltration
- attack.t1048.002
Hunting Strategy: Correlating Discovery with Exfiltration
The most reliable detection approach is not to hunt exfiltration tools in isolation but to identify the pattern that precedes them. In the pre-encryption phase, ransomware affiliates typically execute a rapid discovery sequence:
nltest /domain_trusts— domain enumerationnet group "domain admins"orAdFind.exe— privileged account enumeration- Large-scale file system crawls using
Everything.exe,dir /s, or custom scripts - Staging to a local directory (often
C:\ProgramData\orC:\Temp\) - rclone, WinSCP, or MEGAsync upload
Hunting for rapid succession of discovery commands from a single endpoint followed by large read activity is often more effective than hunting the exfiltration tool itself.
KQL — discovery-to-exfiltration correlation:
let discovery_cmds = DeviceProcessEvents
| where ProcessCommandLine has_any ("nltest", "net group", "AdFind", "adfind", "ldifde")
| summarize DiscoveryCount=count(), FirstSeen=min(Timestamp) by DeviceName
| where DiscoveryCount >= 3;
let exfil_tools = DeviceProcessEvents
| where FileName in~ ("rclone.exe", "MEGAsync.exe", "WinSCP.exe", "FileZilla.exe")
| summarize ExfilSeen=min(Timestamp) by DeviceName;
discovery_cmds
| join kind=inner exfil_tools on DeviceName
| where ExfilSeen > FirstSeen
| extend MinutesBetween = datetime_diff('minute', ExfilSeen, FirstSeen)
| where MinutesBetween < 480 // Correlation within 8 hours
| sort by MinutesBetween asc
Recommended SIEM Coverage
At minimum, deploy process creation logging with command-line capture on all endpoints, network DNS logging to catch MEGA/cloud storage domain queries, and proxy or firewall logging with categorisation of cloud storage destinations. Many teams also deploy canary files in high-value directories — documents titled to appear valuable that trigger alerts if accessed and subsequently appear in exfiltration tool activity.
The detection gap here is well understood by attackers. Closing it is straightforward. Apply these Sigma rules in detection mode first, tune out your legitimate rclone and WinSCP usage over two to four weeks, then promote to alert.