SigmaHQ/rules/windows/malware/win_mal_ryuk.yml

title: Ryuk Ransomware
id: 0acaad27-9f02-4136-a243-c357202edd74
description: Detects Ryuk Ransomware command lines
status: experimental
references:
    - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
author: Vasiliy Burov
date: 2019/08/06
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'net.exe'
            - 'stop'
        CommandLine|contains:
            - 'samss'
            - 'audioendpointbuilder'
            - 'unistoresvc_?????'
    condition: selection
falsepositives:
    - Unlikely
level: critical