WannaCry Ransomware Activity
Detects WannaCry ransomware activity
Sigma rule (View on GitHub)
1title: WannaCry Ransomware Activity
2id: 41d40bff-377a-43e2-8e1b-2e543069e079
3status: test
4description: Detects WannaCry ransomware activity
5references:
6 - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
7 - https://x.com/nas_bench/status/1868639048484425963
8author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
9date: 2019-01-16
10modified: 2025-10-18
11tags:
12 - attack.lateral-movement
13 - attack.t1210
14 - attack.discovery
15 - attack.t1083
16 - attack.defense-evasion
17 - attack.t1222.001
18 - attack.impact
19 - attack.t1486
20 - attack.t1490
21 - detection.emerging-threats
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 - Image|endswith:
28 - '\tasksche.exe'
29 - '\mssecsvc.exe'
30 - '\taskdl.exe'
31 - '\taskhsvc.exe'
32 - '\taskse.exe'
33 - '\111.exe'
34 - '\lhdfrgui.exe'
35 # - '\diskpart.exe' # cannot be used in a rule of level critical
36 - '\linuxnew.exe'
37 - '\wannacry.exe'
38 - Image|contains: 'WanaDecryptor'
39 selection_cmd:
40 CommandLine|contains: '@Please_Read_Me@.txt'
41 condition: 1 of selection_*
42fields:
43 - CommandLine
44 - ParentCommandLine
45falsepositives:
46 - Unknown
47level: critical
References
-
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Audit CVE Event
- Turla Group Lateral Movement
- Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
- Suspicious Volume Shadow Copy Vssapi.dll Load
- Suspicious Volume Shadow Copy VSS_PS.dll Load