Featured YARA rule: Top 10 Ransomware Threats


Userlevel 7
Badge +10

Now that V12.1 is available, I wanted to share with you a featured YARA rule set that can give you on-demand scanning for some top ransomware threats. 

Attached to this post is a file named: Top10RW_YARArules.zip. In this file are YARA rules for some common ransomware threats that have been seen recently:

Attribution: This great collection was made by Felix Bilsten. Links: X: Felix Bilstein (@fxb_b) / X (twitter.com), website: Felix Bilstein - project overview (cocacoding.com) and Github: fxb-cocacoding (Felix Bilstein) · GitHub


14 comments

Userlevel 7
Badge +21

Thanks for sharing these, Rick.  Looking forward to exploring Yara with 12.1.

Userlevel 7
Badge +19

Fantastic Rick! Appreciate the share. Will look at this for sure after I get my environment upgraded.

Userlevel 7
Badge +10

Cheers, Shane.

Userlevel 7
Badge +17

Thanks Rick, I will try this on Monday 😎👍🏼

Userlevel 7
Badge +8

Thanks for sharing @Rick Vanover , any comments about it @Julien Mousqueton ?

Userlevel 7
Badge +8

This is great. I’ll add it to the lab this week!

Userlevel 4
Badge +3

@Rick Vanover & @BertrandFR 

Find bellow the golden mine of Yara rules : 

https://yarahq.github.io
 

“YARA Forge specializes in delivering high-quality YARA rule packages for immediate integration into security platforms. This tool automates the sourcing, standardization, and optimization of YARA rules from a variety of public repositories shared by different organizations and individuals. By collating these community-contributed rules, YARA Forge ensures that each package meets rigorous quality standards, offering a diverse and comprehensive rule set.” 

Userlevel 7
Badge +9

Thank you @Rick Vanover  everything seems okay.

uploaded C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules

Launched scan yara medusa no error at the moment.
Thanks for sharing.

 

 

Userlevel 7
Badge +8

Tested in my lab and it worked great. (minimal CPU available and a pretty small backup set)

I’m excited to get more into Yara rules and look forward to posting some writeups and new rules for people to try on here. 

@Rick Vanover & @BertrandFR 

Find bellow the golden mine of Yara rules : 

https://yarahq.github.io
 

“YARA Forge specializes in delivering high-quality YARA rule packages for immediate integration into security platforms. This tool automates the sourcing, standardization, and optimization of YARA rules from a variety of public repositories shared by different organizations and individuals. By collating these community-contributed rules, YARA Forge ensures that each package meets rigorous quality standards, offering a diverse and comprehensive rule set.” 

Trying the core ruleset tonight!

Userlevel 6
Badge +4

Hello,

 

Thanks for sharing it @Rick Vanover 

I’m sorry but I ‘m not sure to understand really what YARA rules are for ? 

I need to select 1 rule like “test eicar” for VBR to scan file backup and say me yes there is eicar on this file backup ?

I’m sorry I don’t know anything about it but not sure I understand the benefits when I compare to other new 12.1 feature like inline detection (I don’t have to create any rules) or suspicious activity detection ?
Thanks for your explanations :)

The yara file adonunix alerts a lot of false positives, primarily it detects windows update packages as threats. Is this supposed to happen, or I should worry about it?

 

 

Userlevel 7
Badge +10

The yara file adonunix alerts a lot of false positives, primarily it detects windows update packages as threats. Is this supposed to happen, or I should worry about it?

 

 

Hi @mmalarino → Yes, windows update have also hit a lot of false positive for massive encryptions also. We are tuning the logic often. Stay tuned. And welcome to the Veeam community :)

@Rick Vanover thanks for the rules and the chance for a test. I'll be looking forward for more info!

Comment