Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • Last Updated: 2020-11-06
  • Author: Jose Hernandez, Splunk
  • ID: 507edc74-13d5-4339-878e-b9744ded1f35

Narrative

Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called “Ransomware Activity Targeting the Healthcare and Public Health Sector.” This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.

Detections

Name Technique Type
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Remote Desktop Network Bruteforce Remote Desktop Protocol, Remote Services TTP
Remote Desktop Network Traffic Remote Desktop Protocol, Remote Services Anomaly
Ryuk Test Files Detected Data Encrypted for Impact TTP
Ryuk Wake on LAN Command Command and Scripting Interpreter, Windows Command Shell TTP
Spike in File Writes   Anomaly
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
WBAdmin Delete System Backups Inhibit System Recovery TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows Security Account Manager Stopped Service Stop TTP

Reference

source | version: 1