title: Ryuk Ransomware
id: 0acaad27-9f02-4136-a243-c357202edd74
description: Detects Ryuk Ransomware command lines
status: experimental
references:
    - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
author: Vasiliy Burov
date: 2019/08/06
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - '*\net.exe stop "samss" *'
            - '*\net.exe stop "audioendpointbuilder" *'
            - '*\net.exe stop "unistoresvc_?????" *'
    condition: selection
falsepositives:
    - Unlikely
level: critical