Detect samples implementing MurmurHash using YARA.
100 Days of YARA – Day 25: Hive Ransomware Obfuscated Strings
Detect the golang-based string obfuscation library implemented by Hive Ransomware with YARA.
100 Days of YARA – Day 18: Yanluowang Ransomware
Another ransomware strain is known as Yanluowang. Here are some of my bookmarks that I've tagged as Yanluowang: https://pinboard.in/u:droberson/t:yanluowang/ This blog post by Symantec was very interesting to me, as it presented a lot of generic examples of post-exploitation activity that was observed by the operators of this ransomware: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue Particularly, this article mentions the …
Continue reading 100 Days of YARA – Day 18: Yanluowang Ransomware
100 Days of YARA – Day 17: BlackCat Ransomware
Find BlackCat ransomware with YARA.
100 Days of YARA – Day 8: Salsa20
Salsa20 is a stream cipher used by various ransomware software: https://appuals.com/grandcrab-ransomware-v4-1-2-theft-prevented-with-salsa20-algorithm/https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.htmlhttps://www.acronis.com/en-us/articles/sodinokibi-ransomware/ I took a similar approach to the rules in previous posts to find MD5 and SHA256 implementations. I found a constant by reading the source code of a Salsa20 implementation on GitHub and looking for unique constants: https://github.com/alexwebr/salsa20/blob/master/salsa20.c#L118-L125 This was able to detect Sodinokibi …