{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/ryuk/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Ryuk"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-modification","ransomware","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief addresses the disabling of Windows Defender by modifying the \u003ccode\u003eDisableAntiSpyware\u003c/code\u003e registry key. This is a common tactic used by ransomware actors, including Ryuk, to disable endpoint protection and facilitate malicious activities. The modification involves setting the registry value \u003ccode\u003eDisableAntiSpyware\u003c/code\u003e to \u003ccode\u003e0x00000001\u003c/code\u003e. This activity is significant because it directly impairs a critical security control, potentially allowing attackers to deploy ransomware, exfiltrate data, or further compromise the system without interference from the endpoint antivirus. The registry modification is typically performed post-exploitation, after an attacker has already gained initial access and established a foothold. Defenders must monitor registry modifications to detect and prevent this form of defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the target system, potentially via PowerShell or cmd.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003eDisableAntiSpyware\u003c/code\u003e registry key location.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ItemProperty\u003c/code\u003e to modify the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\DisableAntiSpyware\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDisableAntiSpyware\u003c/code\u003e value is set to \u003ccode\u003e0x00000001\u003c/code\u003e, disabling Windows Defender.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies that Windows Defender is disabled by checking its status.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with lateral movement, privilege escalation, or data exfiltration without AV interference.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker deploys ransomware, encrypting files and demanding ransom payment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Defender allows attackers to operate unimpeded on the compromised system. This can lead to the complete encryption of critical files, resulting in significant data loss and operational disruption. Organizations affected by Ryuk ransomware have experienced substantial financial losses, reputational damage, and extensive recovery efforts. Disabling antivirus solutions is a common step in ransomware deployment, increasing the likelihood of a successful attack and maximizing the damage caused.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows Defender DisableAntiSpyware Registry Modification\u003c/code\u003e to your SIEM to identify registry modifications indicative of this attack.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 logging to capture registry modification events on endpoints.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eDetect Suspicious Process Modifying Windows Defender Registry\u003c/code\u003e to determine the legitimacy of the registry change.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to prevent unauthorized registry modifications.\u003c/li\u003e\n\u003cli\u003eMonitor endpoints for unusual process behavior after the registry key is modified.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-antivirus-registry/","summary":"An attacker modifies the Windows Registry key 'DisableAntiSpyware' to disable Windows Defender, a technique commonly associated with Ryuk ransomware to evade defenses.","title":"Windows Defender Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-antivirus-registry/"}],"language":"en","title":"CraftedSignal Threat Feed — Ryuk","version":"https://jsonfeed.org/version/1.1"}