Author: Peter

#100DaysofYARA 2024 – Day 21 – Royal Ransomware Note

Just the one rule today – matching strings found in the Royal ransom note.

rule MAL_Royal_ransomnote {
	meta:
		description = "Matches strings found in Royal ransom note sample."
		last_modified = "2024-01-21"
        author = "@petermstewart"
        DaysofYara = "21/100"

	strings:
		$a = "royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion"
    	$b1 = "If you are reading this, it means that your system were hit by Royal ransomware"
    	$b2 = "Please contact us via :"
    	$b3 = "In the meantime, let us explain this case"
    	$b4 = "It may seem complicated, but it is not!"
    	$b5 = "Most likely what happened was that you decided to save some money on your security infrastructure"
    	$b6 = "Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server"
    	$b7 = "From there it can be published online"
    	$b8 = "Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government"
    	$b9 = "and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more"
    	$b10 = "Fortunately we got you covered!"
    	$b11 = "Royal offers you a unique deal.For a modest royalty(got it; got it ? )"
    	$b12 = "for our pentesting services we will not only provide you with an amazing risk mitigation service"
    	$b13 = "covering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you with a security review for your systems"
    	$b14 = "To put it simply, your files will be decrypted, your data restoredand kept confidential, and your systems will remain secure"
    	$b15 = "Try Royal today and enter the new era of data security"
    	$b16 = "We are looking to hearing from you soon"

	condition:
		filesize < 5KB and
		1 of ($a*) and
		13 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 20 – Royal Ransomware

Royal is a ransomware-as-a-service operated by ROYAL SPIDER, which emerged following the Conti leaks in 2022. Today’s rule matches strings found in Windows and Linux samples of Royal ransomware:

rule MAL_Royal_strings {
	meta:
		description = "Matches strings found in Windows and Linux samples of Royal ransomware."
		last_modified = "2024-01-20"
        author = "@petermstewart"
        DaysofYara = "20/100"
        sha256 = "312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775"
        sha256 = "9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926"
        sha256 = "b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c"

    strings:
    	$a = "royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion"
    	$b1 = "If you are reading this, it means that your system were hit by Royal ransomware"
    	$b2 = "Please contact us via :"
    	$b3 = "In the meantime, let us explain this case"
    	$b4 = "It may seem complicated, but it is not!"
    	$b5 = "Most likely what happened was that you decided to save some money on your security infrastructure"
    	$b6 = "Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server"
    	$b7 = "From there it can be published online"
    	$b8 = "Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government"
    	$b9 = "and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more"
    	$b10 = "Fortunately we got you covered!"
    	$b11 = "Royal offers you a unique deal.For a modest royalty(got it; got it ? )"
    	$b12 = "Try Royal today and enter the new era of data security"
    	$b13 = "We are looking to hearing from you soon"

	condition:
		filesize > 2000KB and filesize < 3500KB and
		(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
		$a and
		10 of ($b*)
}

But wait, there’s more! When I was looking at the Linux sample (SHA256: b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c) I found an RSA Public Key block. I don’t know what it’s for, but my rule matches at least one more sample (SHA256: 06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725) so it might be interesting.

rule HUNT_Royal_RSA_Public_Key {
	meta:
		description = "Matches an RSA Public Key block found in Royal ransomware Linux samples."
		last_modified = "2024-01-20"
        author = "@petermstewart"
        DaysofYara = "20/100"
        sha256 = "b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c"
        sha256 = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725"

    strings:
    	$key1 = "-----BEGIN RSA PUBLIC KEY-----"
    	$key2 = "MIICCAKCAgEAp/24TNvKoZ9rzwMaH9kVGq4x1j+L/tgWH5ncB1TQA6eT5NDtgsQH"
    	$key3 = "jv+6N3IY8P4SPSnG5QUBp9uYm3berObDuLURZ4wGW+HEKY+jNht5JD4aE+SS2Gjl"
    	$key4 = "+lht2N+S8lRDAjcYXJZaCePN4pHDWQ65cVHnonyo5FfjKkQpDlzbAZ8/wBY+5gE4"
    	$key5 = "Tex2Fdh7pvs7ek8+cnzkSi19xC0plj4zoMZBwFQST9iLK7KbRTKnaF1ZAHnDKaTQ"
    	$key6 = "uCkJkcdhpQnaDyuUojb2k+gD3n+k/oN33Il9hfO4s67gyiIBH03qG3CYBJ0XfEWU"
    	$key7 = "cvvahe+nZ3D0ffV/7LN6FO588RBlI2ZH+pMsyUWobI3TdjkdoHvMgJItrqrCK7BZ"
    	$key8 = "TIKcZ0Rub+RQJsNowXbC+CbgDl38nESpKimPztcd6rzY32Jo7IcvAqPSckRuaghB"
    	$key9 = "rkci/d377b6IT+vOWpNciS87dUQ0lUOmtsI2LLSkwyxauG5Y1W/MDUYZEuhHYlZM"
    	$key10 = "cKqlSLmu8OTitL6bYOEQSy31PtCg2BOtlSu0NzW4pEXvg2hQyuSEbeWEGkrJrjTK"
    	$key11 = "v9K7eu+eT5/arOy/onM56fFZSXfVseuC48R9TWktgCpPMkszLmwY14rp1ds6S7OO"
    	$key12 = "/HLRayEWjwa0eR0r/GhEHX80C8IU54ksEuf3uHbpq8jFnN1A+U239q0CAQM="
    	$key13 = "-----END RSA PUBLIC KEY-----"

	condition:
		filesize > 2MB and filesize < 3MB and
		(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
		all of ($key*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 19 – LockBit Ransomware Note

Rounding out my LockBit rules (I didn’t have a Linux sample to analyse) with one to find the ransom note dropped by LockBit 2.0:

rule MAL_Lockbit_2_ransomnote {
	meta:
		description = "Matches strings found in Lockbit 2.0 ransom note samples."
		last_modified = "2024-01-19"
        author = "@petermstewart"
        DaysofYara = "19/100"

    strings:
    	$a = "http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion"
    	$b1 = "https://bigblog.at"
    	$b2 = "http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion"
    	$b3 = "http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion"
		$c1 = "LockBit 2.0 Ransomware"
		$c2 = "Your data are stolen and encrypted"
		$c3 = "The data will be published on TOR website"
		$c4 = "if you do not pay the ransom"
		$c5 = "You can contact us and decrypt on file for free on these TOR sites"
		$c6 = "Decryption ID:"

	condition:
		filesize < 5KB and
		$a and
		2 of ($b*) and
		5 of ($c*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 18 – LockBit Ransomware (macOS)

In April 2023 researchers found a macOS variant of the LockBit encryptor. I am not aware of any public reports where it has been used in the wild, but it’s interesting enough to be worth a quick YARA rule:

rule MAL_Lockbit_2_macOS_strings {
	meta:
		description = "Matches strings found in Lockbit ransomware macOS sample."
		last_modified = "2024-01-18"
        author = "@petermstewart"
        DaysofYara = "18/100"
        sha256 = "3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79"

    strings:
    	$a1 = "lockbit"
    	$a2 = "restore-my-files.txt"
    	$a3 = "_I_need_to_bypass_this_"
    	$a4 = "kLibsodiumDRG"
    	$b = "_Restore_My_Files_"

	condition:
		filesize < 500KB and
		(uint32(0) == 0xfeedface or  	//MH_MAGIC
        uint32(0) == 0xcefaedfe or  	//MH_CIGAM
        uint32(0) == 0xfeedfacf or  	//MH_MAGIC_64
        uint32(0) == 0xcffaedfe or 		//MH_CIGAM_64
        uint32(0) == 0xcafebabe or  	//FAT_MAGIC
        uint32(0) == 0xbebafeca) and	//FAT_CIGAM
		#b > 4 and
		all of ($a*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 17 – LockBit Ransomware (Windows)

LockBit, operated by BITWISE SPIDER, pivoted to a ransomware-as-a-service model with the launch of LockBit 2.0 in 2021 and quickly became one of the most prevalent ransomware actors. Today’s rule uses strings found in samples to identify Windows LockBit 2.0 executables.

rule MAL_Lockbit_2_Win_strings {
	meta:
		description = "Matches strings found in Lockbit 2.0 ransomware Windows samples."
		last_modified = "2024-01-17"
        author = "@petermstewart"
        DaysofYara = "17/100"
        sha256 = "36446a57a54aba2517efca37eedd77c89dfc06e056369eac32397e8679660ff7"
        sha256 = "9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af"

	strings:
		$a = "http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion" wide
		$b1 = "All your files stolen and encrypted" wide
		$b2 = "for more information see" wide
		$b3 = "RESTORE-MY-FILES.TXT" wide
		$b4 = "that is located in every encrypted folder." wide
		$b5 = "You can communicate with us through the Tox messenger" wide
		$b6 = "If you want to contact us, use ToxID" wide

	condition:
		filesize > 800KB and filesize < 10MB and
		uint16(0) == 0x5a4d and
		$a and
		4 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 16 – BlackCat Ransomware Note

When writing rules for the Windows and Linux BlackCat variants I found two different versions of the ransom note; this rule attempts to match both.

rule MAL_BlackCat_ransomnote {
	meta:
		description = "Matches strings found in two versions of ransom notes dropped by BlackCat (ALPHV)."
		last_modified = "2024-01-16"
        author = "@petermstewart"
        DaysofYara = "16/100"

	strings:
		$heading1a = ">> What happened?"
		$heading1b = ">> Introduction"
		$heading2 = ">> Sensitive Data"
		$heading3 = ">> CAUTION"
		$heading4a = ">> What should I do next?"
		$heading4b = ">> Recovery procedure"
		$a1 = "In order to recover your files you need to follow instructions below."
		$a2 = "clients data, bills, budgets, annual reports, bank statements"
		$a3 = "1) Download and install Tor Browser from: https://torproject.org/"
		$a4 = "2) Navigate to: http://"

	condition:
		filesize < 5KB and
		($heading1a and $heading4a) or ($heading1b and $heading4b) and
		$heading2 and $heading3 and 
		all of ($a*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 15 – BlackCat Ransomware (Linux)

ALPHV (ALPHA SPIDER) also used a Linux version of their ransomware; today’s rule uses common strings to find samples of it.

rule MAL_BlackCat_Lin_strings {
	meta:
		description = "Matches strings found in BlackCat ransomware Linux samples operated by ALPHV."
		last_modified = "2024-01-15"
        author = "@petermstewart"
        DaysofYara = "15/100"
        sha256 = "3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1"
        sha256 = "f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6"

    strings:
    	$a1 = "encrypt_app::linux"
    	$a2 = "src/bin/encrypt_app/linux.rs"
    	$a3 = "locker::core::os::linux::command"
    	$b1 = "note_file_name"
        $b2 = "note_full_text"
        $b3 = "note_short_text"
        $b4 = "default_file_cipher"
        $b5 = "default_file_mode"
        $b6 = "enable_esxi_vm_kill"
        $b7 = "enable_esxi_vm_snapshot_kill"

	condition:
		filesize > 1MB and filesize < 3MB and
		uint32(0) == 0x464c457f and
		2 of ($a*) and
		5 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 14 – BlackCat Ransomware (Windows)

The BlackCat ransomware-as-a-service was operated by ALPHV (ALPHA SPIDER) until a slightly messy disruption operation in December 2023. Today’s rule looks for strings commonly found in BlackCat Windows executables:

rule MAL_BlackCat_Win_strings {
	meta:
		description = "Matches strings found in BlackCat ransomware Windows samples operated by ALPHV."
		last_modified = "2024-01-14"
        author = "@petermstewart"
        DaysofYara = "14/100"
        sha256 = "2587001d6599f0ec03534ea823aab0febb75e83f657fadc3a662338cc08646b0"
        sha256 = "c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40"

	strings:
		$a = "bcdedit /set {default}bcdedit /set {default} recoveryenabled"
		$b = "vssadmin.exe Delete Shadows /all /quietshadow_copy::remove_all_vss="
		$c = "wmic.exe Shadowcopy Deleteshadow_copy::remove_all_wmic="
		$d = "deploy_note_and_image_for_all_users="
		$e = "Control Panel\\DesktopWallpaperStyleWallPaperC:\\\\Desktop\\.png"
		$f = "Speed:  Mb/s, Data: Mb/Mb, Files processed: /, Files scanned:"

	condition:
		filesize > 2MB and filesize < 4MB and
		uint16(0) == 0x5a4d and
		all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 13 – Akira Ransomware Note

Following from yesterday’s rule to detect Akira ransomware binaries, today I am detecting the ransom note dropped after the “encryption event”. If you see these files pop-up in your environment it’s probably too late, but being able to quickly identify which ransomware was used can be helpful for incident response.

rule MAL_Akira_ransomnote {
	meta:
		description = "Matches strings found in Akira ransom note sample."
		last_modified = "2024-01-13"
        author = "@petermstewart"
        DaysofYara = "13/100"
	strings:
		$a1 = "akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion"
		$a2 = "akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion"
		$b1 = "Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead"
		$b2 = "all your backups - virtual, physical - everything that we managed to reach - are completely removed"
		$b3 = "Moreover, we have taken a great amount of your corporate data prior to encryption"
		$b4 = "Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue"
		$b5 = "We're fully aware of what damage we caused by locking your internal sources"
		$b6 = "At the moment, you have to know"
		$b7 = "Dealing with us you will save A LOT due to we are not interested in ruining your financially"
		$b8 = "We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you"
		$b9 = "If you have an active cyber insurance, let us know and we will guide you how to properly use it"
		$b10 = "Also, dragging out the negotiation process will lead to failing of a deal"
		$b11 = "Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately"
		$b12 = "Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation"
		$b13 = "If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help"
		$b14 = "The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value"
		$b15 = "since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data"
		$b16 = "As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes"
		$b17 = "generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones"
		$b18 = "Then all of this will be published in our blog"
		$b19 = "We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us"
		$b20 = "If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions"
		$b21 = "Install TOR Browser to get access to our chat room"
		$b22 = "Keep in mind that the faster you will get in touch, the less damage we cause"

	condition:
		filesize < 100KB and
		1 of ($a*) and
		18 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 12 – Akira Ransomware

I spend most of my day job identifying, tracking, and trying to disrupt ransomware activity. One of the busier operations recently is Akira, tracked as PUNK SPIDER by CrowdStrike. BushidoToken published a nice open-source write-up!

This rule looks for specific strings found in Akira ransomware samples:

rule MAL_Akira_strings {
	meta:
		description = "Matches strings found in Akira ransomware sample."
		last_modified = "2024-01-12"
        author = "@petermstewart"
        DaysofYara = "12/100"
        sha256 = "3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c"

	strings:
		$a1 = "akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion"
		$a2 = "akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion"
		$b = "powershell.exe -Command \"Get-WmiObject Win32_Shadowcopy | Remove-WmiObject\""
		$c1 = "This is local disk:" wide
		$c2 = "This is network disk:" wide
		$c3 = "This is network path:" wide
		$c4 = "Not allowed disk:" wide

	condition:
		filesize < 2MB and
		uint16(0) == 0x5a4d and
		1 of ($a*) and
		$b and
		2 of ($c*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.