Today’s rule matches strings found in the note dropped post-encryption by the Yanluowang ransomware.
rule MAL_Yanluowang_ransomnote {
meta:
description = "Matches strings found in Yanluowang ransom notes."
last_modified = "2024-03-27"
author = "@petermstewart"
DaysofYara = "87/100"
strings:
$a1 = "since you are reading this it means you have been hacked"
$a2 = "encrypting all your systems"
$a3 = "Here's what you shouldn't do"
$a4 = "Do not try to decrypt the files yourself"
$a5 = "do not change the file extension yourself"
$a6 = "Keep us for fools"
$a7 = "Here's what you should do right after reading it"
$a8 = "send our message to the CEO of the company, as well as to the IT department"
$a9 = "you should contact us within 24 hours by email"
$a10 = "As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption"
$a11 = "Mails to contact us"
condition:
filesize < 5KB and
8 of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 