rule M_Ransomware_PLAYCRYPT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_created = "2022-12-21" date_modified = "2022-12-21" rev = "1" strings: $c1 = { 8A CB 0F B6 D0 8B F2 8B FA D3 EE 8D 4B 01 D3 EF 83 E6 01 83 E7 01 } $c2 = { 8D 45 F0 C7 85 D0 FD FF FF 00 00 00 00 50 83 EC 08 } $c3 = { 8B 14 0A 8B 4C 32 20 03 D6 89 55 E0 03 CE } $c4 = { 8D 8D 80 ?? FF FF E8 C8 ?? FF FF 85 C0 75 61 83 BD [2] FF FF 05 76 58 } $c5 = { FF 76 ?? C6 45 EE 00 E8 [2] 00 00 8B F0 8B CF 33 C0 85 F6 0F 48 F0 E8 } $c6 = { FF D0 8B F8 83 FF 05 0F [2] 01 00 00 83 FF 06 0F [2] 01 00 00 8B 0E 3B 4E 04 0F [2] 01 00 00 83 FF 04 74 6D 83 FF 01 } $s1 = "OpaqueKeyBlob" wide $s2 = "AppPolicyGetProcessTerminationMethod" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize > 100KB and filesize < 200KB and ((2 of ($c*) and all of ($s*)) or (4 of ($c*))) }rule G_Ransom_PLAYCRYPT_LINUX_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "First step is done." $s2 = "/dev/urandom" $s3 = "esxcli storage filesystem list > storage" $s4 = "hosts in exclusion:" $s5 = "encrypt: " $s6 = ".PLAY" fullword condition: uint32(0) == 0x464C457F and all of them }import "pe" rule G_Ransom_SAFEPAY_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $hex_asm_snippet = { 10 27 00 00 [0-4] 10 27 00 00 } condition: pe.imphash() == "ff67c703589f775db9aed5a03e4489b0" and ($hex_asm_snippet) }rule G_Ransom_SAFEPAY_2 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $code_string_decode = { 8A C2 32 C1 32 44 0D ?? 34 ?? 88 44 0D ?? 41 83 F9 04 [4-64] B? 4D 5A 00 00 } $code_hardware_aes_check = { 0F A2 8B F3 5B 89 07 89 77 ?? 89 4F ?? 89 57 [0-12] ( 00 00 00 02 | C1 ?? 19 ) } $code_encrypt_file = { 14 00 10 00 [2-24] 14 00 10 00 [2-32] 00 10 00 5? [0-8] FF ( 15 | D? ) } $enc_str1 = { C7 45 ?? 67 4B 3D 49 C7 45 ?? 2F 4F 2F 4D } $enc_str2 = { C7 45 ?? 10 3C 51 3E C7 45 ?? 5C 38 4F 3A C7 45 ?? 42 34 58 36 C7 45 ?? 43 30 58 32 66 C7 45 ?? 2D 2C } $enc_str3 = { C7 45 ?? A3 8F FF 8D C7 45 ?? EF 8B E4 89 C7 45 ?? E0 87 E0 85 C7 45 ?? E7 83 EC 81 C7 45 ?? FB 9F E8 9D C7 45 ?? FF 9B 98 99 } $enc_str4 = { C7 45 ?? 44 40 51 47 C7 45 ?? 51 49 10 10 C7 45 ?? 03 48 43 42 C6 45 ?? 29 } $enc_str5 = { C7 45 ?? 77 77 73 74 C7 45 ?? 75 6D 64 70 C7 45 ?? 23 68 63 62 C6 45 ?? 09 } condition: uint16(0) == 0x5a4d and (all of ($code*) or (any of ($code*) and any of ($enc*)) or (2 of ($enc*))) }rule M_Ransom_INC_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "[*] Count of arguments: %d" wide $s2 = "[-] Failed" wide $s3 = "[+] Start" wide $s4 = "INC-README" wide $s5 = "--debug" wide $s6 = "RECYCLE" wide condition: all of them and (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) }rule M_Ransom_INC_2 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "[+] Proccess %s with PID: %d was killed succesffully" wide $s2 = "[*] Sending note to printer:" wide $s3 = "[+] Recycling bin..." wide $s4 = "[*] Starting full encryption in 5s" wide $s5 = "[+] Successfully decoded readme!" wide $s6 = "[-] Failed" wide $lynx = "lynx" ascii wide nocase condition: $lynx and 4 of ($s*) and (uint16(0) == 0x5A4D) and filesize < 300KB and filesize > 50KB }rule G_Ransom_INC_3 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "[+] Proccess %s with PID: %d was killed succesffully" wide $s2 = "[*] Sending note to printer:" wide $s3 = "[+] Recycling bin..." wide $s4 = "[*] Starting full encryption in 5s" wide $s5 = "[+] Successfully decoded readme!" wide $s6 = "[-] Failed" wide $sin = "sinobi" ascii wide nocase condition: $sin and 4 of ($s*) and (uint16(0) == 0x5A4D) and filesize < 400KB and filesize > 50KB }rule M_Ransom_INC_2 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "[*] Count of arguments: %d" $s2 = "[-] Failed" $s3 = "[+] Start" $s4 = "INC-README" $s5 = "--debug" $s6 = "vmsvc" condition: all of them and uint32(0) == 0x464c457f }rule M_Ransom_RANSOMHUB_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $str1 = "json:\"settings\"" $str2 = "json:\"extension\"" $str3 = "json:\"net_spread\"" $str4 = "json:\"local_disks\"" $str5 = "json:\"running_one\"" $str6 = "json:\"self_delete\"" $str7 = "json:\"white_files\"" $str8 = "json:\"white_hosts\"" $str9 = "json:\"credentials\"" $str10 = "json:\"kill_services\"" $str11 = "json:\"set_wallpaper\"" $str12 = "json:\"white_folders\"" $str13 = "json:\"note_file_name\"" $str14 = "json:\"note_full_text\"" $str15 = "json:\"kill_processes\"" $str16 = "json:\"network_shares\"" $str17 = "json:\"note_short_text\"" $str18 = "json:\"master_public_key\"" condition: 14 of them }rule G_Ransom_FURYSTORM_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "Whitelist VM id" $s2 = "gwfn6l3bk45o2zecvi7xtyqrpsudmahj" $s3 = "Dry-run" $s4 = "-paths" $s5 = "-vmsvc" $s6 = "Note: motd=%d login=%d clean=%d" $s7 = "Cryptor args" $s8 = "VMX found" $s9 = "Keys: %016l" $s10 = "vim-cmd" $s11 = "Dropping readme" $s12 = "Encryption params" condition: uint32(0) == 0x464c457f and filesize > 50KB and filesize < 700KB and 6 of them }rule G_Ransom_FURYSTORM_2 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "Failed decrypt file:" $s2 = "Decryptor args:" $s3 = "Private key loaded" $s4 = "Keys: %016l" $s5 = "Dry-run" $s6 = "Encryption params" $s7 = "Whitelist paths" $s8 = "Note: motd=%d" condition: uint32(0) == 0x464c457f and filesize > 50KB and filesize < 300KB and 6 of them }rule M_Autopatt_Ransom_FIREFLAME_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $p00_0 = { 8B CE 8D 5F ?? 8A 01 8D 49 ?? 0F B6 C0 83 E8 ?? 8D 04 40 C1 E0 ?? 99 } $p00_1 = { 55 8B EC FF 75 ?? E8 [4] 59 8B 4D ?? 89 01 F7 D8 1B C0 } condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (0 .. 380000) and $p00_1 in (260000 .. 280000))) }