• EN

Featured YARA rule: Top 10 Ransomware Threats

Rick Vanover
Userlevel 7
Badge +10

Now that V12.1 is available, I wanted to share with you a featured YARA rule set that can give you on-demand scanning for some top ransomware threats. 

Attached to this post is a file named: Top10RW_YARArules.zip. In this file are YARA rules for some common ransomware threats that have been seen recently:

Attribution: This great collection was made by Felix Bilsten. Links: X: Felix Bilstein (@fxb_b) / X (twitter.com), website: Felix Bilstein - project overview (cocacoding.com) and Github: fxb-cocacoding (Felix Bilstein) · GitHub

1 Attachment
Twitter @RickVanover | Email: rick.vanover@veeam.com

11 comments

Chris.Childerhose
Userlevel 7
Badge +20

Thanks for sharing these, Rick.  Looking forward to exploring Yara with 12.1.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
coolsport00
Userlevel 7
Badge +17

Fantastic Rick! Appreciate the share. Will look at this for sure after I get my environment upgraded.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
Rick Vanover
Userlevel 7
Badge +10

Cheers, Shane.

Twitter @RickVanover | Email: rick.vanover@veeam.com
JMeixner
Userlevel 7
Badge +17

Thanks Rick, I will try this on Monday 😎👍🏼

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
BertrandFR
Userlevel 7
Badge +8

Thanks for sharing @Rick Vanover , any comments about it @Julien Mousqueton ?

Scott
Userlevel 7
Badge +8

This is great. I’ll add it to the lab this week!

JMousqueton
Userlevel 4
Badge +3

@Rick Vanover & @BertrandFR 

Find bellow the golden mine of Yara rules : 

https://yarahq.github.io
 

“YARA Forge specializes in delivering high-quality YARA rule packages for immediate integration into security platforms. This tool automates the sourcing, standardization, and optimization of YARA rules from a variety of public repositories shared by different organizations and individuals. By collating these community-contributed rules, YARA Forge ensures that each package meets rigorous quality standards, offering a diverse and comprehensive rule set.” 

Link State
Userlevel 7
Badge +8

Thank you @Rick Vanover  everything seems okay.

uploaded C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules

Launched scan yara medusa no error at the moment.
Thanks for sharing.

 

 

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104 - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
Scott
Userlevel 7
Badge +8

Tested in my lab and it worked great. (minimal CPU available and a pretty small backup set)

I’m excited to get more into Yara rules and look forward to posting some writeups and new rules for people to try on here. 

T

@Rick Vanover & @BertrandFR 

Find bellow the golden mine of Yara rules : 

https://yarahq.github.io
 

“YARA Forge specializes in delivering high-quality YARA rule packages for immediate integration into security platforms. This tool automates the sourcing, standardization, and optimization of YARA rules from a variety of public repositories shared by different organizations and individuals. By collating these community-contributed rules, YARA Forge ensures that each package meets rigorous quality standards, offering a diverse and comprehensive rule set.” 

Trying the core ruleset tonight!

D
Userlevel 6
Badge +4

Hello,

 

Thanks for sharing it @Rick Vanover 

I’m sorry but I ‘m not sure to understand really what YARA rules are for ? 

I need to select 1 rule like “test eicar” for VBR to scan file backup and say me yes there is eicar on this file backup ?

I’m sorry I don’t know anything about it but not sure I understand the benefits when I compare to other new 12.1 feature like inline detection (I don’t have to create any rules) or suspicious activity detection ?
Thanks for your explanations :)

Comment


Terms & Conditions