Update Ramsonware.yar

malware/Ramsonware.yar

@@ -81,4 +81,19 @@ rule SVG_LoadURL {
 	condition:
 		all of ($s*) and filesize < 600
 }
+rule BackdoorFCKG: CTB_Locker_Ransomware
+{
+meta:
+author = "ISG"
+date = "2015-01-20"
+reference = "https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker"
+description = "CTB_Locker"
 
+strings:
+$string0 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+$stringl = "RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 
+$string2 = "keme132.DLL" 
+$string3 = "klospad.pdb" 
+condition:
+3 of them 
+}