Introduction
A 34-year-old Armenian man has recently pleaded guilty in the U.S. to hacking companies and deploying Ryuk ransomware, facing up to 15 years in prison. This legal milestone underscores the persistence of the "Big Game Hunting" tactics associated with the Ryuk operation. While this specific actor faces justice, the Ryuk source code and its sophisticated manual attack techniques remain in circulation among threat actors. Defenders must move beyond basic signature matching and focus on the behavioral indicators of human-operated ransomware to prevent encryption and data loss.
Technical Analysis
Ryuk is not an automated worm; it is a human-operated ransomware-as-a-service (RaaS) model that involves manual hands-on-keyboard activity after initial access is achieved.
- Initial Access: Historically facilitated by TrickBot or Emotet trojans, or via brute-forced RDP credentials.
- Lateral Movement: Adversaries use tools like
PsExec,WMIC, and SMB shares to move laterally through the network, often leveraging compromised credentials. - Execution & Preparation: Before encryption, Ryuk actors rigorously prepare the environment to prevent recovery. This includes:
- Stopping Services: Terminating database, backup, and security-related services.
- Deleting Shadow Copies: Using
vssadmin.exeto remove volume shadow copies, preventing easy file restoration. - Clearing Logs: Utilizing
wevtutil.exeto clear Windows Event Logs to hinder forensic analysis.
- Encryption: Ryuk uses a combination of AES-256 and RSA-4096 to encrypt files, targeting critical network resources and backup servers.
Detection & Response
Detecting Ryuk requires identifying the preparatory actions that occur immediately before encryption. The following rules target the specific behaviors associated with Ryuk attack chains.
Sigma Rules
---
title: Potential Ryuk Preparation - VSS Shadow Copy Deletion
id: 5a1b2c3d-4e5f-6789-0a1b-2c3d4e5f6789
status: experimental
description: Detects the deletion of Volume Shadow Copies via vssadmin, a common precursor to Ryuk encryption.
references:
- https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
condition: selection
falsepositives:
- System administration tasks (rare)
level: high
---
title: Potential Ryuk Preparation - Windows Event Log Clearing
id: 6b2c3d4e-5f6a-7890-1b2c-3d4e5f67890a
status: experimental
description: Detects attempts to clear Windows Event Logs using wevtutil, often performed by Ryuk operators to evade forensics.
references:
- https://attack.mitre.org/techniques/T1070/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.defense_evasion
- attack.t1070.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wevtutil.exe'
CommandLine|contains: 'cl'
condition: selection
falsepositives:
- Legitimate system maintenance scripts
level: high
---
title: Potential Ryuk Lateral Movement - WMIC Process Termination
id: 7c3d4e5f-6a7b-8901-2c3d-4e5f67890ab1
status: experimental
description: Detects WMIC terminating processes, a technique used by Ryuk to stop security or backup software before encryption.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wmic.exe'
CommandLine|contains:
- 'process where'
- 'call terminate'
condition: selection
falsepositives:
- Administrative troubleshooting
level: medium
KQL (Microsoft Sentinel)
// Hunt for Ryuk precursor activities: VSS Deletion, Log Clearing, and Process Termination
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessCommandLine contains "delete shadows" and FileName =~ "vssadmin.exe")
or (ProcessCommandLine contains " cl " and FileName =~ "wevtutil.exe")
or (ProcessCommandLine contains "call terminate" and FileName =~ "wmic.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc
Velociraptor VQL
-- Hunt for Ryuk precursor commands on endpoints
SELECT
timestamp(System.Time) as EventTime,
Name as ProcessName,
CommandLine,
Username,
Exe
FROM process_evts(pids=pid)
WHERE
Name =~ "vssadmin.exe" AND CommandLine =~ "delete shadows"
OR Name =~ "wevtutil.exe" AND CommandLine =~ "cl "
OR Name =~ "wmic.exe" AND CommandLine =~ "call terminate"
Remediation Script (PowerShell)
# Ryuk Response Hardening Script
# Run as Administrator on critical assets to harden against common Ryuk vectors
Write-Host "Starting Ryuk Hardening Procedures..." -ForegroundColor Cyan
# 1. Disable unused administrative shares (IPC$, C$, Admin$) if not strictly required
Write-Host "Checking Administrative Shares..." -ForegroundColor Yellow
$shares = Get-SmbShare | Where-Object { $_.Name -match '^(C|D|E|ADMIN|IPC)$' -and $_.ScopeName -eq '*' }
if ($shares) {
Write-Host "Warning: Administrative shares found. Consider restricting access via firewall." -ForegroundColor Red
}
# 2. Ensure VSS Service is running and protected (Ryuk deletes shadows)
Write-Host "Verifying VSS Service Status..." -ForegroundColor Yellow
$vss = Get-Service -Name VSS -ErrorAction SilentlyContinue
if ($vss) {
if ($vss.Status -ne 'Running') { Start-Service -Name VSS }
Write-Host "VSS Service is $($vss.Status)." -ForegroundColor Green
}
# 3. Audit WMI Namespace Security (WMIC exploitation)
Write-Host "Auditing WMI Repository..." -ForegroundColor Yellow
try {
Get-WmiObject -Namespace root/cimv2 -Class __Win32Provider | Select-Object Name, @{L='HostingModel';E={$_.HostingModel}} | Format-Table
} catch {
Write-Host "Error accessing WMI Repository." -ForegroundColor Red
}
# 4. Check for RDP Users (Common Ryuk lateral move)
Write-Host "Checking RDP Configuration..." -ForegroundColor Yellow
$rdpProp = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction SilentlyContinue
if ($rdpProp.fDenyTSConnections -eq 0) {
Write-Host "WARNING: RDP is Enabled. Ensure Network Level Authentication (NLA) is enforced and access is restricted." -ForegroundColor Red
} else {
Write-Host "RDP is Disabled." -ForegroundColor Green
}
Write-Host "Hardening Script Complete." -ForegroundColor Cyan
Remediation
In the event of a Ryuk infection or suspicion based on the above detections:
- Isolate: Immediately isolate affected hosts from the network to prevent lateral movement. Do not reboot systems, as this may destroy volatile evidence (memory).
- Identify Persistence: Hunt for scheduled tasks or registry run keys established by the actor. Ryuk often establishes persistence via scheduled tasks to maintain access if encryption fails.
- Credential Reset: Assume credentials are compromised. Force a password reset for all domain and local administrator accounts used on affected systems.
- Verify Backups: Ensure backups are offline and uncompromised. Ryuk actors specifically target backup software and shadow copies.
- Block RDP: Restrict RDP access strictly via VPN or bastion hosts with MFA. Open RDP to the internet is a primary vector for initial access.
- Investigate: Re-image compromised systems rather than attempting to clean them, as manual human-operated attacks often leave multiple backdoors.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.