#100DaysofYARA 2024 – Day 101 – My Complete Ruleset

That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.

Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.

I hope it’s helpful!

#100DaysofYARA 2024 – Day 25 – BlackSuit Ransomware Note

A quarter of the way through #100DaysofYARA! Today’s rule is essentially the same as yesterday, but tuned to catch the ransom note that BlackSuit drops post-encryption.

rule MAL_BlackSuit_ransomnote {
	meta:
		description = "Matches strings found in open-source reporting of BlackSuit ransom notes."
		last_modified = "2024-01-25"
        author = "@petermstewart"
        DaysofYara = "25/100"
        ref = "https://twitter.com/siri_urz/status/1653692714750279681"
        ref = "https://twitter.com/Unit42_Intel/status/1653760405792014336"
        ref = "https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html"

	strings:
		$a = "weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion"
    	$b1 = "Good whatever time of day it is!"
    	$b2 = "Your safety service did a really poor job of protecting your files against our professionals."
    	$b3 = "Extortioner named  BlackSuit has attacked your system."
    	$b4 = "As a result all your essential files were encrypted and saved at a secure server for further use and publishing on the Web into the public realm."
    	$b5 = "Now we have all your files like: financial reports, intellectual property, accounting, law actionsand complaints, personal files and so on and so forth."
    	$b6 = "We are able to solve this problem in one touch."
    	$b7 = "We (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to makea deal with us."
    	$b8 = "You have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite small compensation."
    	$b9 = "You can have a safety review of your systems."
    	$b10 = "All your files will be decrypted, your data will be reset, your systems will stay in safe."
    	$b11 = "Contact us through TOR browser using the link:"

	condition:
		filesize < 5KB and
		$a and
		8 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 24 – BlackSuit Ransomware

BlackSuit ransomware is thought to be a spin-off or rebrand of Royal, which I looked at on Day 20.

Again, rather than work directly from samples available on VirusTotal, I decided to put a rule together based on information in open-source reporting:

.BlackSuit Black Suit #Ransomware
748DE52961D2F182D47E88D736F6C835 pic.twitter.com/mqTVs5VDls
— S!Ri (@siri_urz) May 3, 2023

New #ransomware #BlackSuit targets Windows, #Linux. Extension: .blacksuit.
ReadMe file name: README.BlackSuit.txt.

onion link: weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd[.]onion/?id=
md5:9656cd12e3a85b869ad90a0528ca026e(nix), 748de52961d2f182d47e88d736f6c835(win) pic.twitter.com/v3SiLahREG
— Unit 42 (@Unit42_Intel) May 3, 2023

“Investigating BlackSuit Ransomware’s Similarities to Royal”, Trend Micro

As a result this rule is based on strings used to create the ransom note, but it does catch Windows and Linux samples.

rule MAL_BlackSuit_strings {
	meta:
		description = "Matches strings found in open-source reporting on BlackSuit Windows and Linux ransomware."
		last_modified = "2024-01-24"
        author = "@petermstewart"
        DaysofYara = "24/100"
        sha256 = "90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c"
        sha256 = "1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e"
        ref = "https://twitter.com/siri_urz/status/1653692714750279681"
        ref = "https://twitter.com/Unit42_Intel/status/1653760405792014336"
        ref = "https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html"

    strings:
    	$a = "weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion"
    	$b1 = "Good whatever time of day it is!"
    	$b2 = "Your safety service did a really poor job of protecting your files against our professionals."
    	$b3 = "Extortioner named  BlackSuit has attacked your system."
    	$b4 = "As a result all your essential files were encrypted and saved at a secure server for further use and publishing on the Web into the public realm."
    	$b5 = "Now we have all your files like: financial reports, intellectual property, accounting, law actionsand complaints, personal files and so on and so forth."
    	$b6 = "We are able to solve this problem in one touch."
    	$b7 = "We (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to makea deal with us."
    	$b8 = "You have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite small compensation."
    	$b9 = "You can have a safety review of your systems."
    	$b10 = "All your files will be decrypted, your data will be reset, your systems will stay in safe."
    	$b11 = "Contact us through TOR browser using the link:"

	condition:
		(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
		$a and
		8 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.