Potential Ryuk Ransomware Activity

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1547.001 detection.emerging-threats  ·
Share on: linkedin copy

Detects Ryuk ransomware activity

Sigma rule (View on GitHub)

 1title: Potential Ryuk Ransomware Activity
 2id: c37510b8-2107-4b78-aa32-72f251e7a844
 3related:
 4    - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
 5      type: similar
 6    - id: 0acaad27-9f02-4136-a243-c357202edd74
 7      type: obsolete
 8status: stable
 9description: Detects Ryuk ransomware activity
10references:
11    - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
12    - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
13author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)
14date: 2019-12-16
15modified: 2023-02-03
16tags:
17    - attack.privilege-escalation
18    - attack.persistence
19    - attack.t1547.001
20    - detection.emerging-threats
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_reg:
26        CommandLine|contains|all:
27            - 'Microsoft\Windows\CurrentVersion\Run'
28            - 'C:\users\Public\'
29    selection_del:
30        CommandLine|contains|all:
31            - 'del /s /f /q c:\'
32            - '\*.bac'
33            - '\*.bak'
34            - '\*.bkf'
35    selection_net:
36        Image|endswith:
37            - '\net.exe'
38            - '\net1.exe'
39        CommandLine|contains|all:
40            - ' stop '
41            - ' /y'
42        CommandLine|contains:
43            - 'samss'
44            - 'audioendpointbuilder'
45            - 'unistoresvc_'
46            - 'AcrSch2Svc'
47    condition: 1 of selection_*
48fields:
49    - CommandLine
50    - ParentCommandLine
51falsepositives:
52    - Unlikely
53level: high

References

Related rules

to-top