# WinRAR Data Staging with Exfiltration Flags ## What This Detects WinRAR invoked with the `-ep1 -scul -r0` flag combination - the standard ransomware operator data staging command. This specific flag set: - `-ep1` - exclude base directory path from archive (flattens for transfer) - `-scul` - Unicode filename support - `-r0` - recurse subdirectories This combination is optimized for fast bulk archiving of targeted directories prior to exfiltration. It appears across Play, Akira, Qilin, Black Basta, and RansomHub intrusions - making it one of the most consistent exfiltration staging signatures in the ransomware ecosystem. ## Why It Matters WinRAR staging is the first step in double extortion exfiltration. The operator archives high-value directories (Finance, HR, Legal, Accounts Payable) into multi-gigabyte `.rar` volumes, then transfers them via Rclone, WinSCP, or cloud tools. Detecting at the staging phase gives defenders a window to intervene before data leaves the network. The Sophos 2026 Active Adversary Report identifies WinRAR as the most abused archiving tool across IR cases. ## Observed In - **Play** - `WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- .` targeting department shares - **Akira** - `WinRAR.exe a -ep1 -scul -r0` with `-tn365d` (files modified within 365 days), `-hp` (password-protected archives) - **Qilin** - Same flag pattern for staging before Cyberduck/Rclone exfil - **Black Basta** - CISA AA24-131A documents WinRAR staging - **RansomHub** - CISA AA24-242a documents WinRAR staging ## Detection Logic ``` Process Creation where: Image ends with \winrar.exe OR \rar.exe AND CommandLine contains ALL of: -ep1, -r0, -scul ``` ## False Positive Guidance Legitimate WinRAR usage rarely combines all three flags. Enterprise backup scripts that do should be baselined and excluded by parent process or scheduled task name. Ad-hoc user archiving almost never uses `-ep1` or `-scul`. ## Related Threat Profiles - [[Threat Profiles/RaaS/Akira]] - [[Threat Profiles/RaaS/Qilin]]