Ryuk Ransomware

Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• Last Updated: 2020-11-06
• Author: Jose Hernandez, Splunk
• ID: 507edc74-13d5-4339-878e-b9744ded1f35

Narrative

Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.

Detections

Name	Technique	Type
BCDEdit Failure Recovery Modification	Inhibit System Recovery	TTP
BCDEdit Failure Recovery Modification	Inhibit System Recovery	TTP
Common Ransomware Extensions	Data Destruction	Hunting
Common Ransomware Notes	Data Destruction	Hunting
NLTest Domain Trust Discovery	Domain Trust Discovery	TTP
Remote Desktop Network Bruteforce	Remote Desktop Protocol, Remote Services	TTP
Remote Desktop Network Traffic	Remote Desktop Protocol, Remote Services	Anomaly
Ryuk Test Files Detected	Data Encrypted for Impact	TTP
Ryuk Wake on LAN Command	Command and Scripting Interpreter, Windows Command Shell	TTP
Spike in File Writes		Anomaly
Suspicious Scheduled Task from Public Directory	Scheduled Task, Scheduled Task/Job	Anomaly
WBAdmin Delete System Backups	Inhibit System Recovery	TTP
WBAdmin Delete System Backups	Inhibit System Recovery	TTP
WinEvent Scheduled Task Created Within Public Path	Scheduled Task, Scheduled Task/Job	TTP
WinEvent Scheduled Task Created to Spawn Shell	Scheduled Task, Scheduled Task/Job	TTP
Windows DisableAntiSpyware Registry	Disable or Modify Tools, Impair Defenses	TTP
Windows Security Account Manager Stopped	Service Stop	TTP
Windows connhost exe started forcefully	Windows Command Shell	TTP

Reference

• https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html
• https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
• https://us-cert.cisa.gov/ncas/alerts/aa20-302a

source | version: 1