#100DaysofYARA 2024 – Day 25 – BlackSuit Ransomware Note

A quarter of the way through #100DaysofYARA! Today’s rule is essentially the same as yesterday, but tuned to catch the ransom note that BlackSuit drops post-encryption.

rule MAL_BlackSuit_ransomnote {
	meta:
		description = "Matches strings found in open-source reporting of BlackSuit ransom notes."
		last_modified = "2024-01-25"
        author = "@petermstewart"
        DaysofYara = "25/100"
        ref = "https://twitter.com/siri_urz/status/1653692714750279681"
        ref = "https://twitter.com/Unit42_Intel/status/1653760405792014336"
        ref = "https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html"

	strings:
		$a = "weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion"
    	$b1 = "Good whatever time of day it is!"
    	$b2 = "Your safety service did a really poor job of protecting your files against our professionals."
    	$b3 = "Extortioner named  BlackSuit has attacked your system."
    	$b4 = "As a result all your essential files were encrypted and saved at a secure server for further use and publishing on the Web into the public realm."
    	$b5 = "Now we have all your files like: financial reports, intellectual property, accounting, law actionsand complaints, personal files and so on and so forth."
    	$b6 = "We are able to solve this problem in one touch."
    	$b7 = "We (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to makea deal with us."
    	$b8 = "You have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite small compensation."
    	$b9 = "You can have a safety review of your systems."
    	$b10 = "All your files will be decrypted, your data will be reset, your systems will stay in safe."
    	$b11 = "Contact us through TOR browser using the link:"

	condition:
		filesize < 5KB and
		$a and
		8 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 24 – BlackSuit Ransomware

BlackSuit ransomware is thought to be a spin-off or rebrand of Royal, which I looked at on Day 20.

Again, rather than work directly from samples available on VirusTotal, I decided to put a rule together based on information in open-source reporting:

.BlackSuit Black Suit #Ransomware
748DE52961D2F182D47E88D736F6C835 pic.twitter.com/mqTVs5VDls
— S!Ri (@siri_urz) May 3, 2023

New #ransomware #BlackSuit targets Windows, #Linux. Extension: .blacksuit.
ReadMe file name: README.BlackSuit.txt.

onion link: weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd[.]onion/?id=
md5:9656cd12e3a85b869ad90a0528ca026e(nix), 748de52961d2f182d47e88d736f6c835(win) pic.twitter.com/v3SiLahREG
— Unit 42 (@Unit42_Intel) May 3, 2023

“Investigating BlackSuit Ransomware’s Similarities to Royal”, Trend Micro

As a result this rule is based on strings used to create the ransom note, but it does catch Windows and Linux samples.

rule MAL_BlackSuit_strings {
	meta:
		description = "Matches strings found in open-source reporting on BlackSuit Windows and Linux ransomware."
		last_modified = "2024-01-24"
        author = "@petermstewart"
        DaysofYara = "24/100"
        sha256 = "90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c"
        sha256 = "1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e"
        ref = "https://twitter.com/siri_urz/status/1653692714750279681"
        ref = "https://twitter.com/Unit42_Intel/status/1653760405792014336"
        ref = "https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html"

    strings:
    	$a = "weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion"
    	$b1 = "Good whatever time of day it is!"
    	$b2 = "Your safety service did a really poor job of protecting your files against our professionals."
    	$b3 = "Extortioner named  BlackSuit has attacked your system."
    	$b4 = "As a result all your essential files were encrypted and saved at a secure server for further use and publishing on the Web into the public realm."
    	$b5 = "Now we have all your files like: financial reports, intellectual property, accounting, law actionsand complaints, personal files and so on and so forth."
    	$b6 = "We are able to solve this problem in one touch."
    	$b7 = "We (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to makea deal with us."
    	$b8 = "You have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite small compensation."
    	$b9 = "You can have a safety review of your systems."
    	$b10 = "All your files will be decrypted, your data will be reset, your systems will stay in safe."
    	$b11 = "Contact us through TOR browser using the link:"

	condition:
		(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
		$a and
		8 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 23 – Kuiper Ransomware Note

Following on from yesterday’s rule to detect Kuiper ransomware binaries, I wrote another rule to detect the ransom note that it drops. Again, I didn’t have a sample available but Stairwell’s blog contained enough details to build out a rule.

rule MAL_Kuiper_ransomnote {
	meta:
		description = "Matches strings found in Stairwell analysis blog post of Kuiper ransomware."
		last_modified = "2024-01-23"
        author = "@petermstewart"
        DaysofYara = "23/100"
        ref = "https://stairwell.com/resources/kuiper-ransomware-analysis-stairwells-technical-report/"

	strings:
		$tox = "D27A7B3711CD1442A8FAC19BB5780FF291101F6286A62AD21E5F7F08BD5F5F1B9803AAC6ECF9"
		$email = "kuipersupport@onionmail.org"
    	$a1 = "Your network has been compromised! All your important data has been encrypted!"
    	$a2 = "There is  only one way to get your data back to normal:"
    	$a3 = "1. Contact us as soon as possible to avoid damages and losses from your business."
    	$a4 = "2. Send to us any encrypted file of your choice and your personal key."
    	$a5 = "3. We will decrypt 1 file for test (maximum file size = 1 MB), its guaranteed that we can decrypt your files."
    	$a6 = "4. Pay the amount required in order to restore your network back to normal."
    	$a7 = "5. We will then send you our software to decrypt and will guide you through the whole restoration of your network."
    	$a8 = "We prefer Monero (XMR) - FIXED PRICE"
    	$a9 = "We accept Bitcoin (BTC) - 20% extra of total payment!"
    	$a10 = "WARNING!"
    	$a11 = "Do not rename encrypted data."
    	$a12 = "Do not try to decrypt using third party software, it may cause permanent data loss not being able to recover."
    	$a13 = "Contact information:"
    	$a14 = "In order to contact us, download with the following software: https://qtox.github.io or https://tox.chat/download.html"
    	$a15 = "Then just add us in TOX:"
    	$a16 = "Your personal id:"
    	$a17 = "--------- Kuiper Team ------------"

	condition:
		filesize < 5KB and
		15 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 22 – Kuiper Ransomware

I wasn’t familiar with the Kuiper ransomware until I found this write-up published by Stairwell.

I didn’t have a sample available, but the Stairwell report included enough details that I was able to write my own YARA rule using the defense evasion and self-propagation commands they highlighted.

rule MAL_Kuiper_strings {
	meta:
		description = "Matches strings found in Stairwell analysis blog post of Kuiper ransomware."
		last_modified = "2024-01-22"
        author = "@petermstewart"
        DaysofYara = "22/100"
        ref = "https://stairwell.com/resources/kuiper-ransomware-analysis-stairwells-technical-report/"

    strings:
    	$a1 = "kuiper"
    	$a2 = "README_TO_DECRYPT.txt"
    	$a3 = "vssadmin delete shadows /all /quiet"
		$a4 = "wevtutil cl application"
		$a5 = "wbadmin delete catalog -quiet"
		$a6 = "bcdedit /set {default} recoveryenabled No"
		$a7 = "wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest"
		$a8 = "wevtutil cl securit"
		$a9 = "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
		$a10 = "wbadmin DELETE SYSTEMSTATEBACKUP"
		$a11 = "wevtutil cl system"
		$a12 = "vssadmin resize shadowstorage /for="
		$a13 = "\\C$\\Users\\Public\\safemode.exe"
		$a14 = "process call create \"C:\\Users\\Public\\safemode.exe -reboot no\""

	condition:
		uint16(0) == 0x5a4d and
		10 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 21 – Royal Ransomware Note

Just the one rule today – matching strings found in the Royal ransom note.

rule MAL_Royal_ransomnote {
	meta:
		description = "Matches strings found in Royal ransom note sample."
		last_modified = "2024-01-21"
        author = "@petermstewart"
        DaysofYara = "21/100"

	strings:
		$a = "royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion"
    	$b1 = "If you are reading this, it means that your system were hit by Royal ransomware"
    	$b2 = "Please contact us via :"
    	$b3 = "In the meantime, let us explain this case"
    	$b4 = "It may seem complicated, but it is not!"
    	$b5 = "Most likely what happened was that you decided to save some money on your security infrastructure"
    	$b6 = "Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server"
    	$b7 = "From there it can be published online"
    	$b8 = "Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government"
    	$b9 = "and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more"
    	$b10 = "Fortunately we got you covered!"
    	$b11 = "Royal offers you a unique deal.For a modest royalty(got it; got it ? )"
    	$b12 = "for our pentesting services we will not only provide you with an amazing risk mitigation service"
    	$b13 = "covering you from reputational, legal, financial, regulatory, and insurance risks, but will also provide you with a security review for your systems"
    	$b14 = "To put it simply, your files will be decrypted, your data restoredand kept confidential, and your systems will remain secure"
    	$b15 = "Try Royal today and enter the new era of data security"
    	$b16 = "We are looking to hearing from you soon"

	condition:
		filesize < 5KB and
		1 of ($a*) and
		13 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 20 – Royal Ransomware

Royal is a ransomware-as-a-service operated by ROYAL SPIDER, which emerged following the Conti leaks in 2022. Today’s rule matches strings found in Windows and Linux samples of Royal ransomware:

rule MAL_Royal_strings {
	meta:
		description = "Matches strings found in Windows and Linux samples of Royal ransomware."
		last_modified = "2024-01-20"
        author = "@petermstewart"
        DaysofYara = "20/100"
        sha256 = "312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775"
        sha256 = "9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926"
        sha256 = "b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c"

    strings:
    	$a = "royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion"
    	$b1 = "If you are reading this, it means that your system were hit by Royal ransomware"
    	$b2 = "Please contact us via :"
    	$b3 = "In the meantime, let us explain this case"
    	$b4 = "It may seem complicated, but it is not!"
    	$b5 = "Most likely what happened was that you decided to save some money on your security infrastructure"
    	$b6 = "Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server"
    	$b7 = "From there it can be published online"
    	$b8 = "Then anyone on the internet from darknet criminals, ACLU journalists, Chinese government"
    	$b9 = "and even your employees will be able to see your internal documentation: personal data, HR reviews, internal lawsuitsand complains, financial reports, accounting, intellectual property, and more"
    	$b10 = "Fortunately we got you covered!"
    	$b11 = "Royal offers you a unique deal.For a modest royalty(got it; got it ? )"
    	$b12 = "Try Royal today and enter the new era of data security"
    	$b13 = "We are looking to hearing from you soon"

	condition:
		filesize > 2000KB and filesize < 3500KB and
		(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
		$a and
		10 of ($b*)
}

But wait, there’s more! When I was looking at the Linux sample (SHA256: b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c) I found an RSA Public Key block. I don’t know what it’s for, but my rule matches at least one more sample (SHA256: 06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725) so it might be interesting.

rule HUNT_Royal_RSA_Public_Key {
	meta:
		description = "Matches an RSA Public Key block found in Royal ransomware Linux samples."
		last_modified = "2024-01-20"
        author = "@petermstewart"
        DaysofYara = "20/100"
        sha256 = "b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c"
        sha256 = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725"

    strings:
    	$key1 = "-----BEGIN RSA PUBLIC KEY-----"
    	$key2 = "MIICCAKCAgEAp/24TNvKoZ9rzwMaH9kVGq4x1j+L/tgWH5ncB1TQA6eT5NDtgsQH"
    	$key3 = "jv+6N3IY8P4SPSnG5QUBp9uYm3berObDuLURZ4wGW+HEKY+jNht5JD4aE+SS2Gjl"
    	$key4 = "+lht2N+S8lRDAjcYXJZaCePN4pHDWQ65cVHnonyo5FfjKkQpDlzbAZ8/wBY+5gE4"
    	$key5 = "Tex2Fdh7pvs7ek8+cnzkSi19xC0plj4zoMZBwFQST9iLK7KbRTKnaF1ZAHnDKaTQ"
    	$key6 = "uCkJkcdhpQnaDyuUojb2k+gD3n+k/oN33Il9hfO4s67gyiIBH03qG3CYBJ0XfEWU"
    	$key7 = "cvvahe+nZ3D0ffV/7LN6FO588RBlI2ZH+pMsyUWobI3TdjkdoHvMgJItrqrCK7BZ"
    	$key8 = "TIKcZ0Rub+RQJsNowXbC+CbgDl38nESpKimPztcd6rzY32Jo7IcvAqPSckRuaghB"
    	$key9 = "rkci/d377b6IT+vOWpNciS87dUQ0lUOmtsI2LLSkwyxauG5Y1W/MDUYZEuhHYlZM"
    	$key10 = "cKqlSLmu8OTitL6bYOEQSy31PtCg2BOtlSu0NzW4pEXvg2hQyuSEbeWEGkrJrjTK"
    	$key11 = "v9K7eu+eT5/arOy/onM56fFZSXfVseuC48R9TWktgCpPMkszLmwY14rp1ds6S7OO"
    	$key12 = "/HLRayEWjwa0eR0r/GhEHX80C8IU54ksEuf3uHbpq8jFnN1A+U239q0CAQM="
    	$key13 = "-----END RSA PUBLIC KEY-----"

	condition:
		filesize > 2MB and filesize < 3MB and
		(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and
		all of ($key*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 19 – LockBit Ransomware Note

Rounding out my LockBit rules (I didn’t have a Linux sample to analyse) with one to find the ransom note dropped by LockBit 2.0:

rule MAL_Lockbit_2_ransomnote {
	meta:
		description = "Matches strings found in Lockbit 2.0 ransom note samples."
		last_modified = "2024-01-19"
        author = "@petermstewart"
        DaysofYara = "19/100"

    strings:
    	$a = "http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion"
    	$b1 = "https://bigblog.at"
    	$b2 = "http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion"
    	$b3 = "http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion"
		$c1 = "LockBit 2.0 Ransomware"
		$c2 = "Your data are stolen and encrypted"
		$c3 = "The data will be published on TOR website"
		$c4 = "if you do not pay the ransom"
		$c5 = "You can contact us and decrypt on file for free on these TOR sites"
		$c6 = "Decryption ID:"

	condition:
		filesize < 5KB and
		$a and
		2 of ($b*) and
		5 of ($c*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 18 – LockBit Ransomware (macOS)

In April 2023 researchers found a macOS variant of the LockBit encryptor. I am not aware of any public reports where it has been used in the wild, but it’s interesting enough to be worth a quick YARA rule:

rule MAL_Lockbit_2_macOS_strings {
	meta:
		description = "Matches strings found in Lockbit ransomware macOS sample."
		last_modified = "2024-01-18"
        author = "@petermstewart"
        DaysofYara = "18/100"
        sha256 = "3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79"

    strings:
    	$a1 = "lockbit"
    	$a2 = "restore-my-files.txt"
    	$a3 = "_I_need_to_bypass_this_"
    	$a4 = "kLibsodiumDRG"
    	$b = "_Restore_My_Files_"

	condition:
		filesize < 500KB and
		(uint32(0) == 0xfeedface or  	//MH_MAGIC
        uint32(0) == 0xcefaedfe or  	//MH_CIGAM
        uint32(0) == 0xfeedfacf or  	//MH_MAGIC_64
        uint32(0) == 0xcffaedfe or 		//MH_CIGAM_64
        uint32(0) == 0xcafebabe or  	//FAT_MAGIC
        uint32(0) == 0xbebafeca) and	//FAT_CIGAM
		#b > 4 and
		all of ($a*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 17 – LockBit Ransomware (Windows)

LockBit, operated by BITWISE SPIDER, pivoted to a ransomware-as-a-service model with the launch of LockBit 2.0 in 2021 and quickly became one of the most prevalent ransomware actors. Today’s rule uses strings found in samples to identify Windows LockBit 2.0 executables.

rule MAL_Lockbit_2_Win_strings {
	meta:
		description = "Matches strings found in Lockbit 2.0 ransomware Windows samples."
		last_modified = "2024-01-17"
        author = "@petermstewart"
        DaysofYara = "17/100"
        sha256 = "36446a57a54aba2517efca37eedd77c89dfc06e056369eac32397e8679660ff7"
        sha256 = "9feed0c7fa8c1d32390e1c168051267df61f11b048ec62aa5b8e66f60e8083af"

	strings:
		$a = "http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion" wide
		$b1 = "All your files stolen and encrypted" wide
		$b2 = "for more information see" wide
		$b3 = "RESTORE-MY-FILES.TXT" wide
		$b4 = "that is located in every encrypted folder." wide
		$b5 = "You can communicate with us through the Tox messenger" wide
		$b6 = "If you want to contact us, use ToxID" wide

	condition:
		filesize > 800KB and filesize < 10MB and
		uint16(0) == 0x5a4d and
		$a and
		4 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 16 – BlackCat Ransomware Note

When writing rules for the Windows and Linux BlackCat variants I found two different versions of the ransom note; this rule attempts to match both.

rule MAL_BlackCat_ransomnote {
	meta:
		description = "Matches strings found in two versions of ransom notes dropped by BlackCat (ALPHV)."
		last_modified = "2024-01-16"
        author = "@petermstewart"
        DaysofYara = "16/100"

	strings:
		$heading1a = ">> What happened?"
		$heading1b = ">> Introduction"
		$heading2 = ">> Sensitive Data"
		$heading3 = ">> CAUTION"
		$heading4a = ">> What should I do next?"
		$heading4b = ">> Recovery procedure"
		$a1 = "In order to recover your files you need to follow instructions below."
		$a2 = "clients data, bills, budgets, annual reports, bank statements"
		$a3 = "1) Download and install Tor Browser from: https://torproject.org/"
		$a4 = "2) Navigate to: http://"

	condition:
		filesize < 5KB and
		($heading1a and $heading4a) or ($heading1b and $heading4b) and
		$heading2 and $heading3 and 
		all of ($a*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.