Analytics Story: Ryuk Ransomware

Updated Date: 2026-05-13 ID: 507edc74-13d5-4339-878e-b9744ded1f35 Author: Jose Hernandez, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.

Why it matters

Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows DisableAntiSpyware Registry	Disable or Modify Tools	TTP
Remote Desktop Network Traffic	Remote Desktop Protocol	Anomaly
WinEvent Scheduled Task Created Within Public Path	Scheduled Task	TTP
Spike in File Writes	None	Anomaly
Common Ransomware Extensions	Data Destruction	TTP
Windows Scheduled Task with Suspicious Command	Scheduled Task	TTP
BCDEdit Failure Recovery Modification	Inhibit System Recovery	TTP
Ryuk Test Files Detected	Data Encrypted for Impact	TTP
WinEvent Scheduled Task Created to Spawn Shell	Scheduled Task	TTP
NLTest Domain Trust Discovery	Domain Trust Discovery	TTP
Windows Scheduled Task with Suspicious Name	Scheduled Task	TTP
Common Ransomware Notes	Data Destruction	Hunting
Ryuk Wake on LAN Command	Windows Command Shell	TTP
Windows Process Execution in Temp Dir	Match Legitimate Resource Name or Location, Create or Modify System Process	Anomaly
Windows Security Account Manager Stopped	Service Stop	TTP
Windows Remote Desktop Network Bruteforce Attempt	Password Guessing	Anomaly
Suspicious Scheduled Task from Public Directory	Scheduled Task	Anomaly
WBAdmin Delete System Backups	Inhibit System Recovery	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Zeek Conn	Other	`bro:conn:json`	`bro:conn:json`
Windows Event Log Security 4698	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4700	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 4702	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 3	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Cisco Secure Access Firewall	Other	`cisco:cloud_security:firewall`	`cisco_secure_access:firewall`

References

Source: GitHub | Version: 2