Endpoint Standard: What are the Recommended Rules for Preventing and Detecting RYUK Ransomware?
search cancel

Endpoint Standard: What are the Recommended Rules for Preventing and Detecting RYUK Ransomware?

book

Article ID: 291588

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

What are the Recommended Rules for Preventing RYUK Ransomware?

Environment

  • Carbon Black Cloud: All Versions (formerly Predictive Security Cloud)
    • Endpoint Standard

Resolution

PROCESSOPERATION ATTEMPTACTION
Known MalwareRuns or is Running →Terminate
Suspect MalwareRuns or is Running →Terminate
Not listed applicationPerforms ransomware-like behavior →Terminate
Unknown application or processPerforms ransomware-like behavior →Terminate
**\psexec.exeRuns or is running →Terminate
**\psexesvc.exeRuns or is running →Terminate
**\Users\*\AppData\Local\*\*.exeRuns or is running →Terminate
C:\users\public\**Runs or is running →Terminate
**\cmd.exeExecutes a fileless script → Terminate
**\cmd.exeExecutes code from memory → Terminate
**\cmd.exeInvokes a command interpreter → Deny
**\runtimebroker.exeInvokes a command interpreter → Deny
**\powershell.exeInvokes a command interpreter → Deny
**\powershell.exeExecutes a fileless script → Terminate
**\powershell.exeExecutes code from memory → Terminate
**\bitsadmin.exeRuns or is running → Terminate
**\icacls.exeRuns or is running → Terminate
**\schtasks.exeRuns or is running → Terminate

If "psexec" is required to run:
**\psexec.exe →Communicates over the network →Deny/Terminate
**\psexesvc.exe →Communicates over the network →Deny/Terminate

Additional Information

Ryuk in the past was prevented and detected across products by using: https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-Ryuk-Ransomware/ta-p/45904

VMWare Carbon Black recommends testing new rules in a test environment,  ideally prior to mitigating an outbreak, in order to prevent adverse effects in a production environment.
Powered by Wolken Software