rule Maze
{
meta:
description = "Identifies Maze ransomware in memory or unpacked."
author = "@bartblaze"
date = "2019-11"
tlp = "White"
strings:
$ = "Enc: %s" ascii wide
$ = "Encrypting whole system" ascii wide
$ = "Encrypting specified folder in --path parameter..." ascii wide
$ = "!Finished in %d ms!" ascii wide
$ = "--logging" ascii wide
$ = "--nomutex" ascii wide
$ = "--noshares" ascii wide
$ = "--path" ascii wide
$ = "Logging enabled | Maze" ascii wide
$ = "NO SHARES | " ascii wide
$ = "NO MUTEX | " ascii wide
$ = "Encrypting:" ascii wide
$ = "You need to buy decryptor in order to restore the files." ascii wide
$ = "Dear %s, your files have been encrypted by RSA-2048 and ChaCha algorithms" ascii wide
$ = "%s! Alert! %s! Alert! Dear %s Your files have been encrypted by %s! Attention! %s" ascii wide
$ = "DECRYPT-FILES.txt" ascii wide fullword
condition:
5 of them
}