Try in Splunk Security Cloud


Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • Last Updated: 2020-11-06
  • Author: Jose Hernandez, Splunk
  • ID: 507edc74-13d5-4339-878e-b9744ded1f35


Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.


Name Technique Type
Windows connhost exe started forcefully Windows Command Shell TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Ryuk Test Files Detected Data Encrypted for Impact TTP
Ryuk Wake on LAN Command Command and Scripting Interpreter, Windows Command Shell TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
WBAdmin Delete System Backups Inhibit System Recovery TTP
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows Security Account Manager Stopped Service Stop TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
Spike in File Writes None Anomaly
Remote Desktop Network Bruteforce Remote Desktop Protocol, Remote Services TTP
Remote Desktop Network Traffic Remote Desktop Protocol, Remote Services Anomaly


source | version: 1