1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-02-17
Identifier: Locky
*/
rule Locky_Ransomware : ransom {
meta:
description = "Detects Locky Ransomware (matches also on Win32/Kuluoz)"
author = "Florian Roth (with the help of binar.ly)"
reference = "https://goo.gl/qScSrE"
date = "2016-02-17"
hash = "5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8"
strings:
$o1 = { 45 b8 99 f7 f9 0f af 45 b8 89 45 b8 } // address=0x4144a7
$o2 = { 2b 0a 0f af 4d f8 89 4d f8 c7 45 } // address=0x413863
condition:
all of ($o*)
}
rule Locky_Ransomware_2: ransom {
meta:
description = "Regla para detectar RANSOM.LOCKY"
author = "CCN-CERT"
version = "1.0"
strings:
$a1 = { 2E 00 6C 00 6F 00 63 00 6B 00 79 00 00 }
$a2 = { 00 5F 00 4C 00 6F 00 63 00 6B 00 79 00 }
$a3 = { 5F 00 72 00 65 00 63 00 6F 00 76 00 65 }
$a4 = { 00 72 00 5F 00 69 00 6E 00 73 00 74 00 }
$a5 = { 72 00 75 00 63 00 74 00 69 00 6F 00 6E }
$a6 = { 00 73 00 2E 00 74 00 78 00 74 00 00 }
$a7 = { 53 6F 66 74 77 61 72 65 5C 4C 6F 63 6B 79 00 }
condition:
all of them
}