Featured YARA rule: Top 10 Ransomware Threats

Thanks for sharing these, Rick.  Looking forward to exploring Yara with 12.1.

Fantastic Rick! Appreciate the share. Will look at this for sure after I get my environment upgraded.

Cheers, Shane.

Thanks Rick, I will try this on Monday 😎👍🏼

Thanks for sharing @Rick Vanover , any comments about it @Julien Mousqueton ?

This is great. I’ll add it to the lab this week!

@Rick Vanover & @BertrandFR 

Find bellow the golden mine of Yara rules : 

https://yarahq.github.io
 

“YARA Forge specializes in delivering high-quality YARA rule packages for immediate integration into security platforms. This tool automates the sourcing, standardization, and optimization of YARA rules from a variety of public repositories shared by different organizations and individuals. By collating these community-contributed rules, YARA Forge ensures that each package meets rigorous quality standards, offering a diverse and comprehensive rule set.” 

Thank you @Rick Vanover  everything seems okay.

uploaded C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules

Launched scan yara medusa no error at the moment.
Thanks for sharing.

Tested in my lab and it worked great. (minimal CPU available and a pretty small backup set)

I’m excited to get more into Yara rules and look forward to posting some writeups and new rules for people to try on here. 

Trying the core ruleset tonight!

Hello,

Thanks for sharing it @Rick Vanover 

I’m sorry but I ‘m not sure to understand really what YARA rules are for ? 

I need to select 1 rule like “test eicar” for VBR to scan file backup and say me yes there is eicar on this file backup ?

I’m sorry I don’t know anything about it but not sure I understand the benefits when I compare to other new 12.1 feature like inline detection (I don’t have to create any rules) or suspicious activity detection ?
Thanks for your explanations :)

The yara file adonunix alerts a lot of false positives, primarily it detects windows update packages as threats. Is this supposed to happen, or I should worry about it?

Hi @mmalarino → Yes, windows update have also hit a lot of false positive for massive encryptions also. We are tuning the logic often. Stay tuned. And welcome to the Veeam community :)

@Rick Vanover thanks for the rules and the chance for a test. I'll be looking forward for more info!

Thanks Rick, I was looking for something like this.

I went and merged all of the 10 rules from the zip in one single .yar file, so its one entry to select it and wait for the scan outcome.

Thanks ​@Rick Vanover This is a solid step toward proactive ransomware defense.