Potential Ryuk Ransomware Activity

 1title: Potential Ryuk Ransomware Activity
 2id: c37510b8-2107-4b78-aa32-72f251e7a844
 3related:
 4    - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
 5      type: similar
 6    - id: 0acaad27-9f02-4136-a243-c357202edd74
 7      type: obsolete
 8status: stable
 9description: Detects Ryuk ransomware activity
10references:
11    - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
12    - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
13author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)
14date: 2019-12-16
15modified: 2023-02-03
16tags:
17    - attack.persistence
18    - attack.t1547.001
19    - detection.emerging-threats
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_reg:
25        CommandLine|contains|all:
26            - 'Microsoft\Windows\CurrentVersion\Run'
27            - 'C:\users\Public\'
28    selection_del:
29        CommandLine|contains|all:
30            - 'del /s /f /q c:\'
31            - '\*.bac'
32            - '\*.bak'
33            - '\*.bkf'
34    selection_net:
35        Image|endswith:
36            - '\net.exe'
37            - '\net1.exe'
38        CommandLine|contains|all:
39            - ' stop '
40            - ' /y'
41        CommandLine|contains:
42            - 'samss'
43            - 'audioendpointbuilder'
44            - 'unistoresvc_'
45            - 'AcrSch2Svc'
46    condition: 1 of selection_*
47fields:
48    - CommandLine
49    - ParentCommandLine
50falsepositives:
51    - Unlikely
52level: high

References

• Analysis 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2 (MD5: 5AC0F050F93F86E69026FAEA1FBB4450) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• A Targeted Campaign Break-Down - Ryuk Ransomware - Check Point Research

  

  Ryuk, a targeted and well-planned Ransomware, has attacked various organizations worldwide. The campaign has targeted several enterprises, while encrypting hundreds of PC, storage and data centers in each infected company.

  
  Read More

Related rules

• Leviathan Registry Key Activity
• Potential KamiKakaBot Activity - Winlogon Shell Persistence
• Suspicious VBScript UN2452 Pattern
• COLDSTEEL Persistence Service Creation
• COLDSTEEL RAT Anonymous User Process Execution