Service Stop, Technique T1489 - Enterprise (original) (raw)
Akira _v2 can stop running virtual machines.[7][8][9]
Avaddon looks for and attempts to stop database processes.[10]
AvosLocker has terminated specific processes before encryption.[11]
Babuk can stop specific services related to backups.[12][13][14]
BlackByte 2.0 Ransomware can terminate running services.[15]
BlackCat has the ability to stop VM services on compromised networks.[16][17]
BRICKSTORM has terminated an existing process to ensure that its own new process can execute.[18]
Cheerscrypt has the ability to terminate VM processes on compromised hosts through execution of esxcli vm process kill.[19]
Clop can kill several processes and services related to backups and security solutions.[20][21]
Conti can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop.[22]
Cuba has a hardcoded list of services and processes to terminate.[23]
Diavol will terminate services using the Service Control Manager (SCM) API.[24]
DRYHOOK has terminated all instances of the cgi-server process before activating the modified DSAuth.pm file.[25]
EKANS stops database, data backup solution, antivirus, and ICS-related processes.[26][27][28]
Embargo has terminated active processes and services based on a hardcoded list using the CloseServiceHandle() function.[29] Embargo has also leveraged MS4Killer to terminate processes contained in an embedded list of security software process names that were XOR-encrypted.[30]
Hannotog can stop Windows services.[31]
HermeticWiper has the ability to stop the Volume Shadow Copy service.[32]
HotCroissant has the ability to stop services on the infected host.[33]
INC Ransomware can issue a command to kill a process on compromised hosts.[34]
Indrik Spider has used PsExec to stop services prior to the execution of ransomware.[35]
Industroyer’s data wiper module writes zeros into the registry keys in SYSTEM\CurrentControlSet\Services to render a system inoperable.[36]
InvisibleFerret has terminated Chrome and Brave browsers using the taskkill command on Windows and the killall command on other systems such as Linux and macOS.[37] InvisibleFerret has also utilized it’s ssh_kill command to terminate Chrome and Brave browser processes.[38]
KillDisk terminates various processes to get the user to reboot the victim machine.[39]
Kimsuky has disabled actively running virtual environments using the KillMe function to include VMware, Microsoft Hypervisors, and VirtualBox.[40]
LAPSUS$ has shut down virtual machines from within a victim's on-premise VMware ESXi infrastructure.[41]
Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.[42]
LockBit 2.0 can automatically terminate processes that may interfere with the encryption or file extraction processes.[43]
LockBit 3.0 can terminate targeted processes and services related to security, backup, database management, and other applications that could stop or interfere with encryption.[44][45][46][47]
LookBack can kill processes and delete services.[48]
Maze has stopped SQL services to ensure it can encrypt any database.[49]
Medusa Group has terminated services related to backups, security, databases, communication, filesharing and websites.[50][51][52]
Medusa Ransomware has the capability to terminate services related to backups, security, databases, communication, filesharing and websites.[50][51][52] Medusa Ransomware has also utilized the taskkill /F /IM <process> /T command to stop targeted processes and net stop <process> command to stop designated services.[51][52]
MegaCortex can stop and disable services on the system.[53]
Megazord has the ability to terminate a list of services and processes.[9]
Meteor can disconnect all network adapters on a compromised host using powershell -Command "Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }" > NUL.[54]
Netwalker can terminate system processes and services, some of which relate to backup software.[55]
Olympic Destroyer uses the API call ChangeServiceConfigW to disable all services on the affected system.[1]
Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service.[56]
PHASEJAM has disabled the cgi-server process on Ivanti Connect Secure appliances.[25]
Prestige has attempted to stop the MSSQL Windows service to ensure successful encryption using C:\Windows\System32\net.exe stop MSSQLSERVER.[57]
Pysa can stop services and processes.[58]
Qilin can terminate specific services on compromised hosts.[59][60][61][62]
Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.[63]
RansomHub has the ability to terminate specified services.[64]
REvil has the capability to stop services and kill processes.[65][66]
ROADSWEEP can disable critical services and processes.[67]
RobbinHood stops 181 Windows services on the system before beginning the encryption process.[68]
Royal can use RmShutDown to kill applications and services using the resources that are targeted for encryption.[69]
Ryuk has called kill.bat for stopping services, disabling services and killing processes.[70]
Sandworm Team attempts to stop the MSSQL Windows service to ensure successful encryption of locked files.[57]
SLOTHFULMEDIA has the capability to stop processes and services.[71]
VIRTUALPITA can start and stop the vmsyslogd service.[72]
WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.[73][3]
Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.[74]