Nasreddine Bencherchali
52 lines
1.4 KiB
YAML
52 lines
1.4 KiB
YAML
title: Potential Ryuk Ransomware Activity
|
|
id: c37510b8-2107-4b78-aa32-72f251e7a844
|
|
related:
|
|
- id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
|
|
type: similar
|
|
- id: 0acaad27-9f02-4136-a243-c357202edd74
|
|
type: obsoletes
|
|
status: stable
|
|
description: Detects Ryuk ransomware activity
|
|
references:
|
|
- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
|
|
- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
|
|
author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2019/12/16
|
|
modified: 2023/02/03
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1547.001
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_reg:
|
|
CommandLine|contains|all:
|
|
- 'Microsoft\Windows\CurrentVersion\Run'
|
|
- 'C:\users\Public\'
|
|
selection_del:
|
|
CommandLine|contains|all:
|
|
- 'del /s /f /q c:\'
|
|
- '\*.bac'
|
|
- '\*.bak'
|
|
- '\*.bkf'
|
|
selection_net:
|
|
Image|endswith:
|
|
- '\net.exe'
|
|
- '\net1.exe'
|
|
CommandLine|contains|all:
|
|
- ' stop '
|
|
- ' /y'
|
|
CommandLine|contains:
|
|
- 'samss'
|
|
- 'audioendpointbuilder'
|
|
- 'unistoresvc_'
|
|
- 'AcrSch2Svc'
|
|
condition: 1 of selection_*
|
|
fields:
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|