In general @wuming79 a lot of the searches in the ransomware app are designed for detection and early containment. Whether or not you can use them to "stop" the ransomware depends entirely on the variant of ransomware. I would argue that the best defense against ransomware is user education, combined with a behavior-detecting technology on the endpoint that can observe what's going on and actually take action.
From a Splunk perspective, we have found time and again that many variants of ransomware do not "immediately" take action. Take, for example, the NotPetya wiper, which puts into place a scheduled task that kicks off a reboot routine an hour after infection. Well, if you're regularly searching for unusual scheduled tasks that shouldn't be there on your endpoints, or for the Windows event that tells you that a scheduled task has been added and a further search (which could be automated) also tells you it was an unusual executable that did it, you can take action. Actions might be taken via a Splunk modular alert, old-style alert script, Adaptive Response, or manual intervention. Actions might include shutting down the host and notifying a SOC, modifying a network config to isolate the endpoint to protect from lateral movement or network share encryption, etc.
Certainly some ransomware immediately does damage seconds after it is executed. While Splunk is a great platform to find these executions after the fact and to help you bolster your defenses to protect against that variant in the future, it isn't going to stop the infection in those cases.
... View more