Back to Intelligence

Ryuk Affiliate Conviction: Active Defense Against Manual Big Game Hunting TTPs

SA
Security Arsenal Team
July 12, 2026
7 min read

The recent guilty plea of Armenian national Karen Serobovich Vardanyan for his role in the Ryuk ransomware attacks between 2019 and 2020 marks a significant legal victory for U.S. authorities. However, for security practitioners, this case serves as a stark reminder of the longevity of specific operational tactics. While Ryuk itself has evolved (largely into what the industry now tracks as Conti or successor variants), the "Big Game Hunting" playbook refined by operators like Vardanyan remains the primary threat model for enterprises in 2026.

Vardanyan admitted to facilitating attacks that targeted critical infrastructure and large organizations. The danger was not just in the encryption payload, but in the sophisticated, hands-on-keyboard (HOK) methodology used to deploy it. Defenders must understand that while the malware hashes change, the human-operated techniques—lateral movement via compromised credentials, manual service disabling, and mass data exfiltration before encryption—are unchanged and actively targeting networks today.

Technical Analysis

The Threat: Manual Ransomware Operations

Unlike automated opportunistic ransomware, the Ryuk operation was a model of precision. The affiliate model utilized by Vardanyan and his cohorts relied on initial access brokers (IABs) to compromise networks (often via vulnerabilities in VPNs or RDP), followed by a manual deployment phase. This allowed the attackers to traverse the network, identify high-value targets, and disable security controls before detonating the ransomware.

Attack Chain Breakdown

  1. Initial Access: While the specific 2019-2020 entry vectors varied, the modern equivalent involves exploiting unpatched edge devices or valid credentials obtained via infostealing malware.
  2. Lateral Movement: Attackers leverage remote services (RDP, SMB) and administrative tools (Windows Management Instrumentation - WMI) to move from entry points to domain controllers.
  3. Defense Evasion: A critical step in the Ryuk playbook—and one still used in 2026—is the mass termination of security and backup services. This is not automated by the malware itself but is executed manually by the operator using native Windows utilities.
  4. Impact: Prior to encryption, the operator typically deletes Volume Shadow Copies to prevent native recovery attempts, ensuring victims have no choice but to engage with the ransomware gang.

Affected Platforms

  • Windows Domain environments: The primary target for "Big Game Hunting."
  • Backup Servers: Specifically targeted for service disruption and data deletion.

Exploitation Status

While the specific binaries used in the 2019-2020 Vardanyan campaign are historic, the Tactics, Techniques, and Procedures (TTPs) are actively exploited in the wild today by successor groups (e.g., BlackBasta, LockBit 4.0). The manual execution of vssadmin, wmic, and bcdedit commands remains a staple of human-operated ransomware.

Detection & Response

Detecting manual ransomware operations requires identifying patterns of administrative abuse rather than just signature-based malware detection. We must hunt for the "pre-encryption" activity where operators disable the environment's ability to heal itself.

SIGMA Rules

YAML
---
title: Ryuk-style Shadow Copy Deletion via Vssadmin
id: 4a8b2c9d-1e3f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the deletion of system shadow copies using vssadmin, a common precursor to ransomware encryption to prevent recovery.
references:
 - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/05/20
tags:
 - attack.impact
 - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: 'delete shadows'
  condition: selection
falsepositives:
  - System administrators manually managing shadow storage (rare)
level: critical
---
title: Mass Service Termination via Net Stop
id: 5b9c3d0e-2f4a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects attempts to stop critical services (backup, AV, security) often seen in manual ransomware deployment.
references:
 - https://attack.mitre.org/techniques/T1489/
author: Security Arsenal
date: 2026/05/20
tags:
 - attack.impact
 - attack.t1489
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\net.exe'
      - '\net1.exe'
  selection_cli:
    CommandLine|contains: ' stop '
  selection_targets:
    CommandLine|contains:
      - 'backup'
      - 'sql'
      - 'exchange'
      - 'veeam'
      - 'vss'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative maintenance windows
level: high
---
title: Recovery Environment Modification via BCD Edit
id: 6c0d4e1f-3g5b-6c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects modification of boot configuration to disable recovery options, a technique used by Ryuk and successors to prevent safe mode recovery.
references:
 - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/05/20
tags:
 - attack.defense_evasion
 - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\bcdedit.exe'
    CommandLine|contains:
      - 'recoveryenabled No'
      - 'ignoreallfailures'
  condition: selection
falsepositives:
  - System boot configuration changes by IT staff
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Ryuk-style pre-encryption activity
// Looks for vssadmin deletion, service stopping, and bcdedit changes within a short timeframe
let TimeFrame = 1h;
let SuspiciousProcesses = 
  DeviceProcessEvents
  | where Timestamp > ago(TimeFrame)
  | where (FileName in~ ("vssadmin.exe", "bcdedit.exe") 
          or (FileName in~ ("net.exe", "net1.exe") and CommandLine has " stop "));
let ShadowCopyDeletion = 
  SuspiciousProcesses
  | where FileName == "vssadmin.exe" and CommandLine has "delete";
let ServiceStop = 
  SuspiciousProcesses
  | where FileName in~ ("net.exe", "net1.exe") 
  | where CommandLine has_any ("backup", "sql", "exchange", "veeam", "security");
let BootConfigEdit = 
  SuspiciousProcesses
  | where FileName == "bcdedit.exe" 
  | where CommandLine has_any ("recoveryenabled", "ignoreallfailures");
union ShadowCopyDeletion, ServiceStop, BootConfigEdit
| summarize count(), arg_max(Timestamp, *) by DeviceId, AccountName
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessAccountName

Velociraptor VQL

VQL — Velociraptor
-- Hunt for evidence of ransomware precursor activities
-- Targeting vssadmin usage, service termination, and recovery tampering
SELECT 
  Timestamp, 
  Username, 
  Name AS ProcessName, 
  CommandLine, 
  Exe
FROM process_scan(pslist())
WHERE 
  Name =~ 'vssadmin.exe' AND CommandLine =~ 'delete'
  OR Name =~ 'net.exe' AND CommandLine =~ 'stop' AND CommandLine =~ '(backup|sql|exchange|veeam)'
  OR Name =~ 'bcdedit.exe' AND CommandLine =~ '(recoveryenabled|ignoreallfailures)'
ORDER BY Timestamp DESC

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Audit and Harden systems against Ransomware "Big Game Hunting" techniques.
.DESCRIPTION
    Checks for active RDP sessions (common lateral move vector), 
    ensures VSS service is running, and audits local administrators.
#>

Write-Host "[+] Starting Ransomware Hardening Audit..." -ForegroundColor Cyan

# 1. Audit Active RDP Sessions (Lateral Movement Check)
Write-Host "[*] Checking for active RDP sessions..." -ForegroundColor Yellow
$rdpSessions = query user | Select-Object -Skip 1
if ($rdpSessions) {
    Write-Host "[!] Active RDP sessions found. Verify these are authorized:" -ForegroundColor Red
    $rdpSessions
} else {
    Write-Host "[+] No active RDP sessions detected." -ForegroundColor Green
}

# 2. Ensure Volume Shadow Copy Service is Running (Recovery)
Write-Host "[*] Verifying VSS Service Status..." -ForegroundColor Yellow
$vssService = Get-Service -Name VSS -ErrorAction SilentlyContinue
if ($vssService.Status -ne 'Running') {
    Write-Host "[!] VSS Service is not running. Attempting to start..." -ForegroundColor Red
    try {
        Start-Service -Name VSS -ErrorAction Stop
        Write-Host "[+] VSS Service started successfully." -ForegroundColor Green
    } catch {
        Write-Host "[!] Failed to start VSS Service." -ForegroundColor Red
    }
} else {
    Write-Host "[+] VSS Service is running." -ForegroundColor Green
}

# 3. Audit Local Group Membership for Privilege Escalation paths
Write-Host "[*] Auditing Local Administrators group..." -ForegroundColor Yellow
$admins = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue
Write-Host "[+] Current Local Administrators:" -ForegroundColor Green
foreach ($admin in $admins) {
    Write-Host ("    - {0} ({1})" -f $admin.Name, $admin.SID.Value)
}

Write-Host "[+] Audit Complete." -ForegroundColor Cyan

Remediation

The conviction of Vardanyan highlights the human element of these attacks. Defense requires reducing the effectiveness of valid credentials and detecting abnormal administrative behavior.

Immediate Actions:

  1. Implement Strict RDP Controls: The Ryuk operators heavily relied on RDP for lateral movement. Enforce ZTNA (Zero Trust Network Access) or VPNs with MFA for all remote access. Place RDP behind a bastion host and strictly audit inbound connections.
  2. Disable Unnecessary Services: Review internet-facing services. If an organization was compromised in 2019 due to open RDP or vulnerable VPN gateways, ensure those attack surfaces are closed or replaced with modern, secure alternatives.
  3. Service Account Hygiene: Ensure service accounts (especially for SQL, Backup, and Directory services) do not have local administrative rights on workstations or excessive domain privileges. Use Managed Service Accounts (gMSA) where possible.
  4. Immutable Backups: The primary goal of Ryuk's precursor scripts is to destroy backups. Ensure you have offline or immutable (WORM) backup storage that cannot be accessed or deleted even if the domain admin is compromised.

Strategic Improvements:

  • Behavioral Analytics: Deploy EDR solutions that can detect sequential command-line execution (e.g., running net stop on 5 different services in 10 seconds), which is a hallmark of manual ransomware operators.
  • Least Privilege Access (LPA): Revoke administrative rights from standard user accounts. The "Over-Privileged User" is the single biggest enabler of Big Game Hunting ransomware spread.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirryukthreat-huntingir

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.