Salsa20 is a stream cipher used by various ransomware software:
- https://appuals.com/grandcrab-ransomware-v4-1-2-theft-prevented-with-salsa20-algorithm/
- https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html
- https://www.acronis.com/en-us/articles/sodinokibi-ransomware/
I took a similar approach to the rules in previous posts to find MD5 and SHA256 implementations. I found a constant by reading the source code of a Salsa20 implementation on GitHub and looking for unique constants: https://github.com/alexwebr/salsa20/blob/master/salsa20.c#L118-L125
This was able to detect Sodinokibi ransomware within my sample library:
rule salsa20_constants
{
meta:
description = "Salsa20 stream cipher constants. Used by various ransomware"
reference = "https://github.com/alexwebr/salsa20/blob/master/salsa20.c#L118-L125"
strings:
$ = "expand 32-byte k"
condition:
all of them
}
DMFR SECURITY 
Pingback: YARA Rules Index – DMFR SECURITY
Pingback: Week 01 – 2022 – This Week In 4n6