From 19069b87e892dbb719349af72f56b234c0c53bbe Mon Sep 17 00:00:00 2001
From: Ameya Srivastava <0ameya.sr@gmail.com>
Date: Sun, 22 Feb 2026 14:31:00 +0530
Subject: [PATCH 1/4] Add new rule to detect ransomware disabling
 backup/recovery services

---
 .../disable-backup-or-recovery-services.yml   | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 impact/inhibit-system-recovery/disable-backup-or-recovery-services.yml

diff --git a/impact/inhibit-system-recovery/disable-backup-or-recovery-services.yml b/impact/inhibit-system-recovery/disable-backup-or-recovery-services.yml
new file mode 100644
index 000000000..9a96617b6
--- /dev/null
+++ b/impact/inhibit-system-recovery/disable-backup-or-recovery-services.yml
@@ -0,0 +1,34 @@
+rule:
+  meta:
+    name: disable backup or recovery services
+    namespace: impact/inhibit-system-recovery
+    authors:
+      - srivastava.ameya@gmail.com
+    description: the sample attempts to disable and stop backup and recovery services
+    scopes:
+      static: file
+      dynamic: unsupported
+    att&ck:
+      - Impact::Inhibit System Recovery [T1490]
+      - Impact::Service Stop [T1489]
+    references:
+      - https://media.kasperskycontenthub.com/wp-content/uploads/sites/63/2024/09/16054035/Common-TTPs-of-the-modern-ransomware_low-res.pdf
+    examples:
+      - B87E9DD18A5533A09D3E48A7A1EFBCF6
+  features:
+    - and:
+      - or:
+        - match: stop service
+        - string: /net\s+stop/i
+        - string: /sc(\.exe)?\s+stop/i
+        - string: /sc(\.exe)?\s+config.*start=\s*disabled/i
+        - string: /stop\s+.*\/y/i
+      - or:
+        - string: /veeam/i
+        - string: /backup/i
+        - string: /vss/i
+        - string: /oracle/i
+        - string: /sqlwriter/i
+        - string: /sqlsafe/i
+        - string: /sqltelemetry/i
+        - string: /acronis/i

From fd443a5d030a4db41e363e3a68bd8010c5e8172c Mon Sep 17 00:00:00 2001
From: Ameya Srivastava <0ameya.sr@gmail.com>
Date: Sun, 22 Feb 2026 20:57:45 +0530
Subject: [PATCH 2/4] Updated ransomware stop service rule name to use 'stop'
 rather than 'disable'

---
 ...very-services.yml => stop-backup-or-recovery-services.yml} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename impact/inhibit-system-recovery/{disable-backup-or-recovery-services.yml => stop-backup-or-recovery-services.yml} (87%)

diff --git a/impact/inhibit-system-recovery/disable-backup-or-recovery-services.yml b/impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml
similarity index 87%
rename from impact/inhibit-system-recovery/disable-backup-or-recovery-services.yml
rename to impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml
index 9a96617b6..78d60df7a 100644
--- a/impact/inhibit-system-recovery/disable-backup-or-recovery-services.yml
+++ b/impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml
@@ -1,10 +1,10 @@
 rule:
   meta:
-    name: disable backup or recovery services
+    name: stop backup or recovery services
     namespace: impact/inhibit-system-recovery
     authors:
       - srivastava.ameya@gmail.com
-    description: the sample attempts to disable and stop backup and recovery services
+    description: the sample attempts to stop backup and recovery services
     scopes:
       static: file
       dynamic: unsupported

From b2d5da8f66ba59a2d3c25639dc5e1ffcf5875245 Mon Sep 17 00:00:00 2001
From: Ameya Srivastava <0ameya.sr@gmail.com>
Date: Mon, 23 Feb 2026 00:25:53 +0530
Subject: [PATCH 3/4] Updated rule to reduce false positive breadth and enforce
 string locality

---
 .../stop-backup-or-recovery-services.yml      | 24 ++++++-------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml b/impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml
index 78d60df7a..4f6371bb5 100644
--- a/impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml
+++ b/impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml
@@ -4,7 +4,7 @@ rule:
     namespace: impact/inhibit-system-recovery
     authors:
       - srivastava.ameya@gmail.com
-    description: the sample attempts to stop backup and recovery services
+    description: the sample attempts to stop backup or recovery services
     scopes:
       static: file
       dynamic: unsupported
@@ -16,19 +16,9 @@ rule:
     examples:
       - B87E9DD18A5533A09D3E48A7A1EFBCF6
   features:
-    - and:
-      - or:
-        - match: stop service
-        - string: /net\s+stop/i
-        - string: /sc(\.exe)?\s+stop/i
-        - string: /sc(\.exe)?\s+config.*start=\s*disabled/i
-        - string: /stop\s+.*\/y/i
-      - or:
-        - string: /veeam/i
-        - string: /backup/i
-        - string: /vss/i
-        - string: /oracle/i
-        - string: /sqlwriter/i
-        - string: /sqlsafe/i
-        - string: /sqltelemetry/i
-        - string: /acronis/i
+    - or:
+      - string: /\bnet\s+stop\s+["']?(veeam|vss|oracle|sqlwriter|sqlsafe|sqltelemetry|acronis|sophos|mssql)\b/i
+      - string: /\bsc(\.exe)?\s+stop\s+["']?(veeam|vss|oracle|sqlwriter|sqlsafe|sqltelemetry|acronis|sophos|mssql)\b/i
+      - string: /\bsc(\.exe)?\s+config\s+["']?(veeam|vss|oracle|sqlwriter|sqlsafe|sqltelemetry|acronis|sophos|mssql)\b.*start=\s*disabled\b/i
+      - string: /\bstop\s+["']?(veeam|vss|oracle|sqlwriter|sqlsafe|sqltelemetry|acronis|sophos|mssql)\b.*\/y\b/i
+      - string: /\btaskkill\b[^"\r\n]\/f\b[^"\r\n]\b(veeam|sqlservr|oracle|acronis|sophos|iis)\b/i
\ No newline at end of file

From 687068d4cafbee67b37d1498653b34b92fd0af1e Mon Sep 17 00:00:00 2001
From: Ameya Srivastava <0ameya.sr@gmail.com>
Date: Mon, 23 Feb 2026 00:57:04 +0530
Subject: [PATCH 4/4] Add missing empty line at end for format

---
 .../stop-backup-or-recovery-services.yml                        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml b/impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml
index 4f6371bb5..18956acad 100644
--- a/impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml
+++ b/impact/inhibit-system-recovery/stop-backup-or-recovery-services.yml
@@ -21,4 +21,4 @@ rule:
       - string: /\bsc(\.exe)?\s+stop\s+["']?(veeam|vss|oracle|sqlwriter|sqlsafe|sqltelemetry|acronis|sophos|mssql)\b/i
       - string: /\bsc(\.exe)?\s+config\s+["']?(veeam|vss|oracle|sqlwriter|sqlsafe|sqltelemetry|acronis|sophos|mssql)\b.*start=\s*disabled\b/i
       - string: /\bstop\s+["']?(veeam|vss|oracle|sqlwriter|sqlsafe|sqltelemetry|acronis|sophos|mssql)\b.*\/y\b/i
-      - string: /\btaskkill\b[^"\r\n]\/f\b[^"\r\n]\b(veeam|sqlservr|oracle|acronis|sophos|iis)\b/i
\ No newline at end of file
+      - string: /\btaskkill\b[^"\r\n]\/f\b[^"\r\n]\b(veeam|sqlservr|oracle|acronis|sophos|iis)\b/i