YARA RULES
187 detection rules for 99 ransomware families
187 rules
APT73/Eraleig
2 rules
.yar
APT73/Eraleig_rule_1
CISA
rule APT73_Eraleig_ransomware_1 {
meta:
description = "Detects APT73/Eraleig ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "a201ed0c43a856b0844a4a35b8b6cbf90290edabd9abfcca91c74d39fc024131"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$r1 = /README\..{3,10}/i
$r2 = /[A-Za-z0-9]{56}\.onion/
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s4 = "RECOVER" nocase
$h5 = { 4E 37 5A EC 84 78 54 61 C2 F7 42 16 21 15 85 4D C7 28 B8 }
$s6 = "!!!" nocase
$h7 = { 28 60 4E 8D 40 F9 90 16 F9 C4 ED B8 F9 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
APT73/Eraleig_rule_2
InQuest
rule APT73_Eraleig_ransomware_2 {
meta:
description = "Detects APT73/Eraleig ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c711a68e6eaad066465a976a9340ae70c960303c4352fe661dce3f57f25266e4"
strings:
$h0 = { D7 37 B7 3E FC EB 64 2E 2C C9 A1 37 F0 C6 BB 2A DE C5 FB 44 C }
$h1 = { D7 12 9D 6A D4 85 CD 6B 98 E2 61 DE D5 A7 91 87 6 }
$r2 = /README\..{3,10}/i
$h3 = { 75 40 26 87 95 73 F6 50 A6 5D D8 83 E9 8D CF D8 07 53 4C C5 A5 }
$r4 = /README\..{3,10}/i
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r6 = /[A-Za-z0-9]{56}\.onion/
$h7 = { 5D 1D 75 C3 D1 AE C6 72 3A 65 B8 F9 33 28 7D B7 7A A6 0 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Abyss
1 rules
.yar
Abyss_rule_1
CISA
rule Abyss_ransomware_1 {
meta:
description = "Detects Abyss ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "d5b4adc1a5b2bb28b09e06bbcf6044cece12b0d93b351ba9e02589843a01bcde"
strings:
$s0 = "Do not modify" nocase
$h1 = { 89 AD EA 78 79 64 62 19 59 8A 35 86 65 DA C1 C8 22 85 CC A8 FD F }
$r2 = /README\..{3,10}/i
$s3 = "DECRYPT" nocase
$h4 = { 55 E7 7D A2 66 46 BE 53 4A 80 5A 8F B6 91 FC E0 C5 D3 BA B8 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
AeacusUnit
1 rules
.yar
AeacusUnit_rule_1
Florian Roth
rule AeacusUnit_ransomware_1 {
meta:
description = "Detects AeacusUnit ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c374b45409898b9960f3433cccc524cbe95ed839ec776c95d310c058fb54b449"
strings:
$s0 = "DECRYPT" nocase
$r1 = /[A-Za-z0-9]{56}\.onion/
$s2 = "AES-256" nocase
$h3 = { 75 74 0E 87 52 B9 DF F0 1D C8 }
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s5 = "TOX:" nocase
$h6 = { CF C3 83 30 2F 48 81 F9 15 07 30 7C B4 63 7F A2 A2 03 E1 98 92 BF }
$s7 = "ChaCha20" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Agenda/Qilin (Rust)
1 rules
.yar
Agenda/Qilin_(Rust)_rule_1
InQuest
rule Agenda_Qilin_(Rust)_ransomware_1 {
meta:
description = "Detects Agenda/Qilin (Rust) ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "aee441e242d9712e77cd72ac8791b6c3bfc04c46832861116bb8ffde41127eff"
strings:
$r0 = /README\..{3,10}/i
$h1 = { 4A FB EC 7C 9D 18 0F 85 C2 10 BE DE D3 FD 3A 7D 36 A4 77 D3 2A 36 1F 9 }
$s2 = "AES-256" nocase
$h3 = { 20 C6 2D AA D1 81 94 88 CA F9 1A }
$s4 = ".agenda_qilin_(rust)" nocase
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Akira
1 rules
.yar
Akira_Ransomware
Community YARA Rules
rule Akira_Ransomware {
meta:
description = "Detects Akira ransomware"
author = "Security Research"
strings:
$s1 = "akira_readme" ascii
$s2 = "akira" ascii nocase
$s3 = ".akira" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
Anomaly
2 rules
.yar
Anomaly_rule_1
Malpedia
rule Anomaly_ransomware_1 {
meta:
description = "Detects Anomaly ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "761f6670acf9b17a2a20c07d1839a0f7964eebcb7ca4442851f8a0e9943b0f4c"
strings:
$h0 = { A9 B8 B2 86 6A 92 5D AB 0E 7E 47 1C 02 A1 2E BF 2D A2 1B 83 7 }
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h2 = { AB ED 83 9C 59 5A 8A FB 37 80 DD FA 5E C1 }
$r3 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Anomaly_rule_2
Malpedia
rule Anomaly_ransomware_2 {
meta:
description = "Detects Anomaly ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "3165ec7b466c7d6a74ef94b73558701a4d075bd25d827b65a34710da016bc132"
strings:
$h0 = { 69 26 90 F0 EB B2 82 6B 05 }
$r1 = /[A-Za-z0-9]{56}\.onion/
$h2 = { 70 3B 4E 4D 71 B7 8B F0 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Apos Security
2 rules
.yar
Apos_Security_rule_1
InQuest
rule Apos_Security_ransomware_1 {
meta:
description = "Detects Apos Security ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "9abef4b6daa7b13efec5de44beb5a5ac025baf49fb83b50d201619be6de57a56"
strings:
$h0 = { C7 A5 C1 A8 11 17 CB 8F DC 25 EC CD D9 C9 32 DF 60 2C CA E0 F }
$h1 = { 32 A6 9E C3 99 E9 45 E6 6D B3 06 39 F }
$s2 = "Apos Security" nocase
$s3 = ".apos_security" nocase
$h4 = { CE 4A C2 11 40 5C BE 6B 87 8F E8 E4 19 89 84 02 83 3 }
$r5 = /README\..{3,10}/i
$h6 = { 62 1E 93 E1 2D BC 88 B2 74 A3 }
$r7 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Apos_Security_rule_2
Florian Roth
rule Apos_Security_ransomware_2 {
meta:
description = "Detects Apos Security ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "7d3a473f48c498026d432064044c7f7f539ca3343785b9470fa2c0647dab25ed"
strings:
$h0 = { 69 47 57 B3 69 9F 12 BF 52 BB EB CD 37 3D FB 96 F0 D0 45 DC F4 6 }
$h1 = { 66 29 B0 C6 BC EA 5D 9C 60 DA 5A DF E6 00 81 B0 88 72 FC D8 5F 0 }
$h2 = { 53 E7 A4 D5 CE F5 42 CF F1 76 31 }
$r3 = /README\..{3,10}/i
$h4 = { 04 62 B5 2C F3 15 6B A5 C2 B7 09 8A 8 }
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
AresData
1 rules
.yar
AresData_rule_1
InQuest
rule AresData_ransomware_1 {
meta:
description = "Detects AresData ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "10330e5e3259f68302d89918d40a64b978f767ac13638761dc16d713365ebfd5"
strings:
$s0 = ".aresdata" nocase
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s2 = "TOX:" nocase
$h3 = { 8C 1A 85 AA 27 0F 47 70 }
$r4 = /README\..{3,10}/i
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Babuk
1 rules
.yar
Babuk_rule_1
Florian Roth
rule Babuk_ransomware_1 {
meta:
description = "Detects Babuk ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b6ed7b81cfb5d0db97475b94e3620e9221545ccdb0242419b06644163c49effb"
strings:
$s0 = "Do not rename" nocase
$r1 = /README\..{3,10}/i
$r2 = /README\..{3,10}/i
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Bastion
3 rules
.yar
Bastion_rule_1
InQuest
rule Bastion_ransomware_1 {
meta:
description = "Detects Bastion ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "1f28fb7f078af90afb9dbb67ce5a38de825f79446c50d986648fdb8bdd95c580"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$h1 = { 8C BD 48 C3 F1 5C 7D 90 68 FB 77 D3 0F 55 }
$s2 = "YOUR FILES" nocase
$s3 = "ENCRYPTED" nocase
$s4 = "!!!" nocase
$r5 = /[A-Za-z0-9]{56}\.onion/
$s6 = "RSA-2048" nocase
$h7 = { 4A 64 5B AF CF 00 4C 70 24 59 B4 B6 F5 A2 50 4F 6A 87 2 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Bastion_rule_2
RansomwareMonitor
rule Bastion_ransomware_2 {
meta:
description = "Detects Bastion ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "cc14c681902778d58ae104b2e79bcf1ac86cd5ad13aec9d0ba64972eefa1066c"
strings:
$h0 = { 35 6A 70 21 87 F3 94 10 0D 35 1A 4F 52 5B AD 00 BF AB A8 9D }
$r1 = /[A-Za-z0-9]{56}\.onion/
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s3 = "RECOVER" nocase
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r5 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Bastion_rule_3
Florian Roth
rule Bastion_ransomware_3 {
meta:
description = "Detects Bastion ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "68d1f24ea73d412acc364cb5d24f89ce5804fe28b00c969ee651e079dfd14e01"
strings:
$h0 = { 4D FB 12 50 46 BA 7D 48 2 }
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r2 = /[A-Za-z0-9]{56}\.onion/
$s3 = "AES-256" nocase
$s4 = "!!!" nocase
$h5 = { 8F DF 2E 88 65 09 8D BE 13 40 C4 4F 1B 6D 22 4 }
$r6 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
BlackBasta
1 rules
.yar
BlackBasta_Ransomware
Community YARA Rules
rule BlackBasta_Ransomware {
meta:
description = "Detects Black Basta ransomware"
author = "Security Research"
strings:
$s1 = "aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd" ascii
$s2 = "readme.txt" ascii
$s3 = "company id for log in" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
BlackByte
2 rules
.yar
BlackByte_rule_1
CISA
rule BlackByte_ransomware_1 {
meta:
description = "Detects BlackByte ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "7275b3b67333387f6e3537d1d75d6bfc2127e90ecdea17f6c350e16a9c4a9cda"
strings:
$s0 = "YOUR FILES" nocase
$r1 = /[A-Za-z0-9]{56}\.onion/
$r2 = /README\..{3,10}/i
$h3 = { 55 AF E7 A8 42 77 2B 47 63 0F 3A 50 78 A0 71 CF 2E 3D 1 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
BlackByte_rule_2
Elastic Security
rule BlackByte_ransomware_2 {
meta:
description = "Detects BlackByte ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "02145b58dd66045fd28c778bb4bdff0e3f3609a1a4db3598fac09424509f8fbc"
strings:
$s0 = "BITCOIN" nocase
$h1 = { F4 76 DB 55 FA 50 CA 28 12 EC 38 5B 2C 39 9F 59 F7 8C }
$s2 = "BITCOIN" nocase
$h3 = { 85 00 B3 1B 62 A5 2A 75 49 1B C7 84 68 FE 03 CB EE 44 CD 8E B3 05 A6 8 }
$s4 = "AES-256" nocase
$h5 = { 46 D1 CC 64 ED B5 69 C5 53 44 F1 }
$h6 = { 25 77 B4 93 9A 5E 60 91 1B F1 B1 F3 47 54 CD DA 41 42 BD A0 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
BlackCat Sphynx
1 rules
.yar
BlackCat_Sphynx_rule_1
Florian Roth
rule BlackCat_Sphynx_ransomware_1 {
meta:
description = "Detects BlackCat Sphynx ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "96e4a0d001331bdd70972aa3705190f50801f34e8537dbd6ec33e7f7514ec9ef"
strings:
$h0 = { B6 47 18 D3 B9 78 B4 FB 13 78 9A }
$s1 = "TOX:" nocase
$h2 = { 47 2F F9 8D E7 4D E4 CF 00 CF 29 FF 60 91 34 64 0C D6 A5 B3 8A 80 }
$r3 = /README\..{3,10}/i
$h4 = { 62 63 CD 49 64 E4 E4 DA 81 DF 92 E8 89 9 }
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s6 = "BITCOIN" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
BlackCat/ALPHV
2 rules
.yar
BlackCat/ALPHV_rule_1
RansomwareMonitor
rule BlackCat_ALPHV_ransomware_1 {
meta:
description = "Detects BlackCat/ALPHV ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b9d9bdb6cb9c5de3a6de716059c06c07f65adc248969fa07b704278157df3724"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$s1 = "BlackCat/ALPHV" nocase
$r2 = /[A-Za-z0-9]{56}\.onion/
$r3 = /[A-Za-z0-9]{56}\.onion/
$h4 = { 20 2E 7F DE 56 92 1B DA E5 24 C8 CC 42 }
$h5 = { 71 10 D3 10 E1 38 20 C3 94 F1 6C 34 10 D8 D5 61 C6 B }
$s6 = ".onion" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
BlackCat_ALPHV_Ransomware
Community YARA Rules
rule BlackCat_ALPHV_Ransomware {
meta:
description = "Detects BlackCat/ALPHV ransomware"
author = "Security Research"
strings:
$s1 = "RECOVER-FILES" ascii
$s2 = "alphv" ascii nocase
$s3 = "access-key" ascii
$rust = ".rs" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
BlackSuit
3 rules
.yar
BlackSuit_rule_1
VirusTotal
rule BlackSuit_ransomware_1 {
meta:
description = "Detects BlackSuit ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "dddc0cfbc63637c4da68cc9d8f1779c6a71bb285201c12b0862620570af4a93c"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h1 = { 65 B7 E1 EA 29 04 C0 BC F5 B0 4 }
$s2 = "ChaCha20" nocase
$h3 = { DF F3 55 0F DC 15 AD D8 08 34 47 CE 52 9E 79 2A 4E 51 3C 5C }
$h4 = { E0 B8 CA 5B C3 52 52 F2 }
$h5 = { 71 DA 4B 6B F2 08 98 A7 7F A8 C7 42 4A 4C 50 B2 }
$h6 = { B9 D7 8E 68 E9 8D 33 63 9F 6E DB 30 1D 6D 25 76 D0 A3 82 B6 C7 85 0E }
$s7 = ".blacksuit" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
BlackSuit_rule_2
Florian Roth
rule BlackSuit_ransomware_2 {
meta:
description = "Detects BlackSuit ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "94fcded76a926b64fd25f78eac4aeca26e96da267377efe4f04c1edc0b57468c"
strings:
$s0 = "TOX:" nocase
$r1 = /README\..{3,10}/i
$r2 = /README\..{3,10}/i
$s3 = "TOX:" nocase
$r4 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
BlackSuit_rule_3
RansomwareMonitor
rule BlackSuit_ransomware_3 {
meta:
description = "Detects BlackSuit ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "2e64a5def8f7d91e21a71fe2930a08725fd683960c99cd9acc58af715976e706"
strings:
$h0 = { CF 0C 7D 13 99 5E E1 1B 15 74 D2 16 60 C5 23 09 }
$r1 = /[A-Za-z0-9]{56}\.onion/
$h2 = { 8F 0D ED 14 84 BA 80 5F 64 CD BB 49 E9 61 43 2C 24 }
$h3 = { B5 06 D4 D5 E8 7E 14 0D 9E 97 38 }
$s4 = "!!!" nocase
$s5 = "::::" nocase
$r6 = /[A-Za-z0-9]{56}\.onion/
$h7 = { F3 75 57 ED 5D 8D 44 F0 DA 49 92 2B 9A C0 4 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
BoltCrew
2 rules
.yar
BoltCrew_rule_1
InQuest
rule BoltCrew_ransomware_1 {
meta:
description = "Detects BoltCrew ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "7e75abfc9cf89368245a2eb27319dfd353ec8aa184ac26c12ce761663d705918"
strings:
$h0 = { C6 0D 56 18 14 62 55 23 90 6C FB AA 46 93 D4 D4 2D 80 87 8 }
$r1 = /[A-Za-z0-9]{56}\.onion/
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h3 = { 8D EB 6B 8A 92 10 F3 71 37 08 5C FD AE CB B6 A2 92 FF A }
$r4 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
BoltCrew_rule_2
RansomwareMonitor
rule BoltCrew_ransomware_2 {
meta:
description = "Detects BoltCrew ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "5be46c56a3f96578d8758a41875b5127acd715bae014f30fba4163a34805fbb8"
strings:
$h0 = { 62 12 6B 69 D4 E8 90 51 DC 2 }
$h1 = { D0 71 6A 45 2D 41 23 51 2F 21 3B 88 07 08 18 DC 9E 6C 3E 06 D9 82 E3 }
$h2 = { 4A A3 ED D9 1F A6 37 6F F8 E4 28 91 D }
$h3 = { 46 D2 DA DD E4 DD 32 33 E6 26 8C 56 9D 8F 40 47 5 }
$s4 = "YOUR FILES" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Cartel
1 rules
.yar
Cartel_rule_1
Florian Roth
rule Cartel_ransomware_1 {
meta:
description = "Detects Cartel ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "79f1e48f2310943a525389fdb067464e11de88ae60fc9928a2bd11c73eaa07c4"
strings:
$h0 = { 41 63 0A 3C 44 BD 96 CD 82 96 90 97 10 D4 38 44 }
$r1 = /README\..{3,10}/i
$s2 = "ENCRYPTED" nocase
$h3 = { 75 4E 79 FD 11 D2 0C 05 EC 96 E3 41 9A CA 53 1 }
$s4 = "README" nocase
$h5 = { 2A A0 B4 19 59 D9 80 B6 18 26 96 0E 9F 00 1B BA 7D FF E2 6F 4 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Cassandra
2 rules
.yar
Cassandra_rule_1
Elastic Security
rule Cassandra_ransomware_1 {
meta:
description = "Detects Cassandra ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "309f4e8f8b69721c13c3e62474d668e13e2f8d309a55192505831e05abb7154b"
strings:
$s0 = "AES-256" nocase
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r2 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Cassandra_rule_2
RansomwareMonitor
rule Cassandra_ransomware_2 {
meta:
description = "Detects Cassandra ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "2a3d8450a136377a0277db337aed939d71a52c043422df9b87e69c07ca6e30dc"
strings:
$s0 = "!!!" nocase
$h1 = { 18 CB 6D 51 CA 29 77 A5 70 5A 10 98 27 E4 3 }
$h2 = { 12 98 A9 DC 7B 9B A5 0C D8 ED 5F D2 D1 CB BA 83 D8 41 BD 67 7F 2 }
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r4 = /[A-Za-z0-9]{56}\.onion/
$s5 = "RSA-2048" nocase
$s6 = "ChaCha20" nocase
$s7 = "!!!" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Chaos
1 rules
.yar
Chaos_rule_1
Elastic Security
rule Chaos_ransomware_1 {
meta:
description = "Detects Chaos ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "d8d9639268aad84f3b91a4b71dcf9143bda932da005bc708a920bcb874e44c81"
strings:
$s0 = "BITCOIN" nocase
$s1 = ".chaos" nocase
$r2 = /README\..{3,10}/i
$h3 = { 68 C9 59 EC E6 21 C3 77 FD 16 27 A6 2E CB D8 6D 58 4D 42 79 5E 0B 8 }
$s4 = "AES-256" nocase
$h5 = { F6 65 BF 74 04 69 0C 19 55 }
$s6 = "RECOVER" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Cheerscrypt
1 rules
.yar
Cheerscrypt_rule_1
RansomwareMonitor
rule Cheerscrypt_ransomware_1 {
meta:
description = "Detects Cheerscrypt ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "0665de74616f7e7c11a42bb0ae51574b6ba759fe38d388a37b36d696f87bb5b7"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s1 = "TOX:" nocase
$h2 = { F3 95 28 60 04 50 F4 6C 4D F7 87 C6 8F }
$h3 = { E6 79 C4 F4 33 F3 FD 18 97 F8 4E D6 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Cicada
3 rules
.yar
Cicada_rule_1
InQuest
rule Cicada_ransomware_1 {
meta:
description = "Detects Cicada ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "796ed99bc9ffdbc03dad84559d492928f64dbb239739c90504edc2631410412e"
strings:
$h0 = { 59 2E B9 71 23 16 E8 DB A8 CF 97 DA C4 ED 39 C2 }
$h1 = { 9B 6A 18 54 4B B2 1D A4 F1 C5 A6 AC 7E 43 69 C8 }
$r2 = /README\..{3,10}/i
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Cicada_rule_2
Elastic Security
rule Cicada_ransomware_2 {
meta:
description = "Detects Cicada ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "a3d473e96a91ec612bfd40d38f59fb0ee1fd251bc1fdccc3eec40ff47eaf750b"
strings:
$s0 = "DECRYPT" nocase
$s1 = "::::" nocase
$r2 = /README\..{3,10}/i
$r3 = /[A-Za-z0-9]{56}\.onion/
$r4 = /[A-Za-z0-9]{56}\.onion/
$h5 = { DB 7C A0 B4 8D B5 D6 E8 E8 F6 90 1B 51 95 C4 52 6B FC E7 1 }
$r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s7 = "ChaCha20" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Cicada_rule_3
Elastic Security
rule Cicada_ransomware_3 {
meta:
description = "Detects Cicada ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "9e6e32119b30738471c2b3ca10cef7866f18acf3612f2e1830d626eac467638d"
strings:
$s0 = "README" nocase
$h1 = { 98 76 D7 5F 42 C3 46 1F 1F EB FB EC 8 }
$h2 = { 04 79 5E FE A4 A5 A8 11 B4 06 09 A2 43 8D BF 45 C7 65 12 0E 8A 14 95 BF }
$r3 = /[A-Za-z0-9]{56}\.onion/
$s4 = "BITCOIN" nocase
$s5 = "!!!" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
CitadelRage
1 rules
.yar
CitadelRage_rule_1
Malpedia
rule CitadelRage_ransomware_1 {
meta:
description = "Detects CitadelRage ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "dcf4d55dcaa12642edf2c49edd9a7a811dbdd5eedb2360abf4921cb86c0d34d4"
strings:
$s0 = "DECRYPT" nocase
$h1 = { 29 32 9A A4 0D 4E 54 8D F4 62 AC BD 24 47 04 9B AA BD 0E BD B7 D }
$h2 = { E7 C5 1F A8 AD BD D4 B9 76 BE B7 71 2 }
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h4 = { B3 AA 98 AB 30 1D 14 EF 7F 91 08 76 26 E2 97 1D A5 90 7A 22 29 93 }
$h5 = { 39 5B FD A4 D4 36 03 00 C1 7E BD CE BC EB 2 }
$h6 = { 2B CF 31 4A 26 59 27 93 9A 62 0B 54 6B B2 96 1 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Cl0p
3 rules
.yar
Cl0p_rule_1
Florian Roth
rule Cl0p_ransomware_1 {
meta:
description = "Detects Cl0p ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "fd2a584a88c8aa1c82b35ce89be3fce0a87dc09f4487ca3d11a4038a58e547c1"
strings:
$s0 = "::::" nocase
$s1 = "RECOVER" nocase
$h2 = { DD 74 55 81 57 FB 5B EF 7C D0 A0 99 26 70 84 F9 57 A3 }
$h3 = { 77 B7 26 D7 17 B2 A3 08 F0 40 AA 2E A3 B4 B1 52 40 }
$h4 = { D6 FB 44 83 AC 36 25 C3 13 EA E2 84 E1 FC }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Cl0p_rule_2
InQuest
rule Cl0p_ransomware_2 {
meta:
description = "Detects Cl0p ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "e5f2d819fd0b24540b3620751200a980535d121955b8e66d0d3efc382cf7d469"
strings:
$r0 = /README\..{3,10}/i
$s1 = "YOUR FILES" nocase
$s2 = "!!!" nocase
$h3 = { B4 0A 93 77 F0 4E B5 D7 60 9C 95 F1 CA A6 74 88 B0 EB ED }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Clop_Ransomware
Community YARA Rules
rule Clop_Ransomware {
meta:
description = "Detects Cl0p ransomware"
author = "Security Research"
strings:
$s1 = "ClopReadMe" ascii
$s2 = "Cl0p" ascii
$s3 = ".Clop" ascii
$s4 = "YOUR NETWORK HAS BEEN PENETRATED" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
Cl0p MOVEit Campaign
1 rules
.yar
Cl0p_MOVEit_Campaign_rule_1
Malpedia
rule Cl0p_MOVEit_Campaign_ransomware_1 {
meta:
description = "Detects Cl0p MOVEit Campaign ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "cc01be9ca2e372a5d2076b2e0857f5389e2d53eabf0d5c8ac2b5637c8531b0f9"
strings:
$r0 = /README\..{3,10}/i
$s1 = "BITCOIN" nocase
$r2 = /README\..{3,10}/i
$r3 = /[A-Za-z0-9]{56}\.onion/
$h4 = { 33 BB 42 FB 5E F2 7B 66 07 E9 59 31 B9 BB CE E2 51 BC C }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Cloak
1 rules
.yar
Cloak_rule_1
Malpedia
rule Cloak_ransomware_1 {
meta:
description = "Detects Cloak ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f811299561a06a86a68ea883f5a7b45eb993f1d0464849d9f922e0b344c6c616"
strings:
$r0 = /README\..{3,10}/i
$r1 = /README\..{3,10}/i
$s2 = "AES-256" nocase
$h3 = { DB 03 C2 D3 2F 39 46 EA B0 65 24 C3 F0 90 39 A9 }
$r4 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
CollapseGroup
3 rules
.yar
CollapseGroup_rule_1
YARA-Rules/rules
rule CollapseGroup_ransomware_1 {
meta:
description = "Detects CollapseGroup ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b384c3dd0753cfb0945ddbf535baec91a635ffeffd5391004c99041f859cd4a0"
strings:
$s0 = "TOX:" nocase
$r1 = /[A-Za-z0-9]{56}\.onion/
$s2 = ".onion" nocase
$h3 = { AC 44 E1 6E 4E 16 84 A2 E4 5B 75 62 0B EC F1 5E 2C 06 A }
$s4 = "Do not modify" nocase
$h5 = { 47 87 B2 4F C8 B1 A9 62 7A 1F 5 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
CollapseGroup_rule_2
Florian Roth
rule CollapseGroup_ransomware_2 {
meta:
description = "Detects CollapseGroup ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "2571e6342bbe870cca11b602cf6217a9f6d638ad05012fc842334e6df58e6102"
strings:
$s0 = ".collapsegroup" nocase
$r1 = /README\..{3,10}/i
$s2 = ".collapsegroup" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
CollapseGroup_rule_3
VirusTotal
rule CollapseGroup_ransomware_3 {
meta:
description = "Detects CollapseGroup ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "163316b0fd78474929ff93535075e52ac5bfd1d71a28731502aa0db3e0d96a29"
strings:
$r0 = /README\..{3,10}/i
$s1 = ".collapsegroup" nocase
$h2 = { 2C 96 37 91 88 0C F2 CD A0 41 8A 5A 4B 30 B4 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Conti
1 rules
.yar
Conti_Ransomware
Community YARA Rules
rule Conti_Ransomware {
meta:
description = "Detects Conti ransomware"
author = "Security Research"
strings:
$s1 = "CONTI" ascii
$s2 = "readme.txt" ascii
$s3 = "All of your files are currently encrypted" ascii
$mutex = "hsdfsd-mutex" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
Crystal
1 rules
.yar
Crystal_rule_1
Florian Roth
rule Crystal_ransomware_1 {
meta:
description = "Detects Crystal ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "97fd6ffed6c00c7805a5f2505eca0bf742ce29a4d9af54ec00595745bfd4c47d"
strings:
$r0 = /README\..{3,10}/i
$r1 = /[A-Za-z0-9]{56}\.onion/
$s2 = "DECRYPT" nocase
$h3 = { 5C D3 A2 BB F6 21 1A B9 10 1 }
$s4 = "::::" nocase
$h5 = { A5 C7 6D F5 DF 3C DC F0 30 A4 79 59 66 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
DarkSide
1 rules
.yar
DarkSide_Ransomware
Community YARA Rules
rule DarkSide_Ransomware {
meta:
description = "Detects DarkSide ransomware"
author = "Security Research"
strings:
$s1 = "Welcome to DarkSide" ascii
$s2 = "darkside" ascii nocase
$s3 = "universal decryptor" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
DeadBolt
3 rules
.yar
DeadBolt_rule_1
RansomwareMonitor
rule DeadBolt_ransomware_1 {
meta:
description = "Detects DeadBolt ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "3c39ca86caf41b8c590f9b0d539cb7cc614ddc0f4c940b258777061360c8d015"
strings:
$s0 = "DeadBolt" nocase
$s1 = "DECRYPT" nocase
$s2 = "TOX:" nocase
$h3 = { 04 56 68 EE 02 69 1E 2F 21 4B D8 9C 6F B6 BA 99 5D 8C 07 98 3D 0D 2 }
$h4 = { 2C DE 19 BF 2E 34 BC 89 73 20 09 FD FC D0 9D 31 E }
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h6 = { 0C D1 BA 85 BD 1E 2F 80 F7 97 0F 12 07 C9 1E 29 43 6B C1 9F 7E BA B }
$h7 = { E6 1D D1 C1 1F 6B F8 1B 78 AF FA 69 F7 6C A4 E8 11 5E 85 B3 44 62 22 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
DeadBolt_rule_2
InQuest
rule DeadBolt_ransomware_2 {
meta:
description = "Detects DeadBolt ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f424ea86a2ffb5fabd16aa205b5d8cef7687dc12a5d847bea8f7145ee847325f"
strings:
$h0 = { 42 53 44 57 9C 52 56 25 25 22 39 D3 B0 60 81 0 }
$s1 = "Do not modify" nocase
$h2 = { 60 2D 69 67 3B A7 EC F0 DA E5 FC 3B 55 44 14 46 12 03 28 88 5B C0 6D }
$h3 = { 17 81 14 32 FD CE 5A 95 31 80 A8 0F 85 1D 4D 0B A9 89 FD 9D }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
DeadBolt_rule_3
RansomwareMonitor
rule DeadBolt_ransomware_3 {
meta:
description = "Detects DeadBolt ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "8c6ec49245d0ff32bd728e00430324dcaf821f3a1fb1923975e203de7df7aa58"
strings:
$h0 = { 81 87 26 8A 2A 22 74 22 1C 08 0B E7 5E 7C 8B AB 22 EA 86 C9 6 }
$s1 = "YOUR FILES" nocase
$s2 = "TOX:" nocase
$r3 = /README\..{3,10}/i
$r4 = /[A-Za-z0-9]{56}\.onion/
$s5 = "::::" nocase
$r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h7 = { EE F3 21 39 2C C6 4B 46 07 56 77 55 5D F9 4E F0 E1 C3 A8 CE 6C 34 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
DeltaAttack
1 rules
.yar
DeltaAttack_rule_1
CISA
rule DeltaAttack_ransomware_1 {
meta:
description = "Detects DeltaAttack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "7de0f8ec430be246ffd39c7de30251e21a9565d407e8f3492796bddd9862e627"
strings:
$h0 = { 01 C9 D7 73 1F 58 C1 58 8C EF 45 9C 6D 79 F8 56 06 81 53 4D 13 BB 84 AE }
$h1 = { 46 0F E8 49 79 FC 78 D7 1D E7 2B B8 B }
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r3 = /README\..{3,10}/i
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Dharma/CrySIS
3 rules
.yar
Dharma/CrySIS_rule_1
Florian Roth
rule Dharma_CrySIS_ransomware_1 {
meta:
description = "Detects Dharma/CrySIS ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "11487448095aaf187373de51ab7916fc34145a88dd8e723288b826799da72d9a"
strings:
$s0 = "YOUR FILES" nocase
$h1 = { E0 C5 E0 86 40 8A 07 7B D9 46 6B 01 4D 76 FA F3 F3 FA 79 }
$h2 = { FC DD 0D 24 9C 98 DF 42 A5 }
$h3 = { 84 84 17 35 62 3C 2F A4 17 B3 59 DC 50 5B 33 4D CD 3B 76 51 DF 4 }
$s4 = "TOX:" nocase
$s5 = "Dharma/CrySIS" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Dharma/CrySIS_rule_2
RansomwareMonitor
rule Dharma_CrySIS_ransomware_2 {
meta:
description = "Detects Dharma/CrySIS ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "fcbd80c1e747d76c4e15108e7f330d7f86e5d5644353d1d90496c7b1af2d9607"
strings:
$s0 = "Do not modify" nocase
$h1 = { F4 82 A0 55 66 95 F4 2C 05 6 }
$r2 = /[A-Za-z0-9]{56}\.onion/
$r3 = /[A-Za-z0-9]{56}\.onion/
$s4 = "PAYMENT" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Dharma/CrySIS_rule_3
InQuest
rule Dharma_CrySIS_ransomware_3 {
meta:
description = "Detects Dharma/CrySIS ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "686a84ea22fb9f5d007702cd4443702c736c6f34839d1e9d5c01c9dfbea17b5c"
strings:
$s0 = "BITCOIN" nocase
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s2 = "RSA-2048" nocase
$r3 = /[A-Za-z0-9]{56}\.onion/
$r4 = /[A-Za-z0-9]{56}\.onion/
$r5 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
DiscordLock
2 rules
.yar
DiscordLock_rule_1
VirusTotal
rule DiscordLock_ransomware_1 {
meta:
description = "Detects DiscordLock ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "50d132b929b9b24511f520725eb829e257fb1e79d8be4c24e916c10e52507ee1"
strings:
$h0 = { 29 0D 56 49 0F 70 93 88 98 94 EB 7E 36 F0 E9 34 }
$s1 = "ENCRYPTED" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
DiscordLock_rule_2
Elastic Security
rule DiscordLock_ransomware_2 {
meta:
description = "Detects DiscordLock ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b86ec3718055bf135865713ceca089346310462a27f77eb2ffa7fbdd3a17fce4"
strings:
$s0 = "DiscordLock" nocase
$h1 = { 12 7F 04 A7 83 71 E9 02 EE 98 E0 3D 8A DC 4E 11 C0 A4 AB C3 96 5A 29 }
$r2 = /README\..{3,10}/i
$h3 = { 1D 6E 51 AE C4 EC 8B C0 3F 7C 8A 8B 29 FA 13 17 07 8E C3 EB 4D }
$r4 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
DoppelPaymer
3 rules
.yar
DoppelPaymer_rule_1
Florian Roth
rule DoppelPaymer_ransomware_1 {
meta:
description = "Detects DoppelPaymer ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "e40880caf6177c9e1b6381f64534b85e732a980f40931fc80f17cfa8811fec28"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s1 = "YOUR FILES" nocase
$h2 = { 50 20 C1 15 7A 6E D0 DF 29 32 AC 07 F0 9B 18 D5 58 9A FA 49 0D 87 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
DoppelPaymer_rule_2
CISA
rule DoppelPaymer_ransomware_2 {
meta:
description = "Detects DoppelPaymer ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "6af50dd8582fd356d59894a7a29d7d046c1cb631941c181e74636f56eed281a9"
strings:
$h0 = { E1 7E 15 26 C7 76 F8 CF 11 A0 D0 FD 68 1C 18 BF 51 2E C4 49 76 2B 59 0 }
$s1 = "RSA-2048" nocase
$s2 = ".doppelpaymer" nocase
$h3 = { D7 3D 3A AF EC 5B D3 1D 3B 8A D7 55 8D }
$r4 = /[A-Za-z0-9]{56}\.onion/
$s5 = "RSA-2048" nocase
$h6 = { 62 A3 AC EF 8B 7E 03 6E A5 8 }
$s7 = "RECOVER" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
DoppelPaymer_rule_3
YARA-Rules/rules
rule DoppelPaymer_ransomware_3 {
meta:
description = "Detects DoppelPaymer ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "5a057a3856f16fe3ea341f8c5e9b6f2f8cd44b702539dac0c088de2e470b79d0"
strings:
$h0 = { B7 FF 8B AA FD 59 CD 20 C6 FB 7A 40 DB A1 }
$r1 = /[A-Za-z0-9]{56}\.onion/
$h2 = { 0C 1D F2 B7 7E DD 4E 11 4E 77 5A 26 F4 7E }
$h3 = { 8B 53 85 35 13 93 CB 6E 6 }
$h4 = { CC BE 2B 6A 2B CE 6A 3F AC 4F 13 C0 B8 }
$h5 = { 1F 48 37 AA 02 09 A3 9D 1D 6D 7A E }
$s6 = "Do not rename" nocase
$h7 = { C5 CE 24 01 9C CC 8B 95 26 FE D4 5C B5 30 58 27 10 64 8A BD A8 74 C0 CD }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Epsilon
3 rules
.yar
Epsilon_rule_1
CISA
rule Epsilon_ransomware_1 {
meta:
description = "Detects Epsilon ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "984f1312125c3d582bfabc8036e77d299d3f0fbf83f87747e778c7509858ea30"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h1 = { 25 9F BC F7 1D DC 8E A4 54 7 }
$s2 = "RSA-2048" nocase
$h3 = { E9 FE 6D 6C 0B 61 F0 07 0E BE }
$s4 = "DECRYPT" nocase
$h5 = { 56 13 E6 C8 25 DB 8C AF 3A 33 5C 9E 47 B2 DE D }
$r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Epsilon_rule_2
RansomwareMonitor
rule Epsilon_ransomware_2 {
meta:
description = "Detects Epsilon ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f88c77de8efbea70ffad82c7910cee5c44bd5227f146102f5ee22f218e4aa5eb"
strings:
$h0 = { AB 09 64 24 45 98 28 B5 01 1D 0 }
$r1 = /[A-Za-z0-9]{56}\.onion/
$s2 = ".onion" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Epsilon_rule_3
InQuest
rule Epsilon_ransomware_3 {
meta:
description = "Detects Epsilon ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "814f84e8936932763064e75ae71a6eb5222baa1aece389e1faf1c833eb90b39c"
strings:
$h0 = { C3 DF B6 0C 09 ED 0B EE FF 2D D9 FA 65 36 F8 C0 5A }
$h1 = { FD D8 70 C9 59 0F E3 26 65 75 7E 7B 77 A8 07 97 C9 B9 C7 }
$s2 = "Do not rename" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Error
1 rules
.yar
Error_rule_1
Malpedia
rule Error_ransomware_1 {
meta:
description = "Detects Error ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f15779f8dbcb954d51656753de466ecbed24009384fcf5c3247f059e7fa3f0cd"
strings:
$h0 = { D0 C9 48 DA F1 94 03 87 C7 EB 57 F5 39 70 15 06 8 }
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s2 = "PAYMENT" nocase
$s3 = "AES-256" nocase
$r4 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Flux
2 rules
.yar
Flux_rule_1
YARA-Rules/rules
rule Flux_ransomware_1 {
meta:
description = "Detects Flux ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "4ba6810ed7a3c87529c253aac26ca4d232f442b57fce9319744d6fc022464359"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$s1 = "RSA-2048" nocase
$h2 = { 97 C6 4B 77 0C 28 D1 61 4F 94 0C 71 DE 7 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Flux_rule_2
Elastic Security
rule Flux_ransomware_2 {
meta:
description = "Detects Flux ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "a6b4b0e7f5523e45621fa9546363f3cefaa7f07b9975c144b2a31b7a01480aa3"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h1 = { FA 44 DB 80 FC BB 9D A8 C1 30 B2 D5 5D F5 1 }
$h2 = { 2B E7 D6 8D C0 4E 2B 7B 1 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
FortuneBlack
3 rules
.yar
FortuneBlack_rule_1
Elastic Security
rule FortuneBlack_ransomware_1 {
meta:
description = "Detects FortuneBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "466fab7ba497005c5e65be0b5b4c0ecf056bcecb452e85092d159e1d3044f40a"
strings:
$s0 = "!!!" nocase
$s1 = "Do not rename" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
FortuneBlack_rule_2
InQuest
rule FortuneBlack_ransomware_2 {
meta:
description = "Detects FortuneBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "fab45d809e627210b2a1b1a60518b5257998dbe0f6cebd73ac2d6b96179980b7"
strings:
$h0 = { 7D 60 6D E9 0E 4D CB 68 F5 41 1B A6 3F BE 1C 1 }
$s1 = "Do not rename" nocase
$s2 = "::::" nocase
$r3 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
FortuneBlack_rule_3
YARA-Rules/rules
rule FortuneBlack_ransomware_3 {
meta:
description = "Detects FortuneBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "70801891b6faa7f2495e5e8c11b6eab04a455f7c51df78f7f2f05e9f76aa9d93"
strings:
$s0 = "ENCRYPTED" nocase
$s1 = "ChaCha20" nocase
$h2 = { F0 A4 FC E6 94 63 E1 AA D8 8F A5 D3 DB 08 F8 BC 62 42 D5 8C }
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h4 = { CC BF C6 90 F5 8F CA 01 F5 AE 6E F6 76 8D DA 1C DC 7 }
$s5 = "RECOVER" nocase
$r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s7 = "AES-256" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
FrostBlack
3 rules
.yar
FrostBlack_rule_1
Florian Roth
rule FrostBlack_ransomware_1 {
meta:
description = "Detects FrostBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "4ebf74e7c604c298dc5a3831a6cda6d458c69f16cbaab68f514ac3be23153a7d"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$s1 = "Do not modify" nocase
$r2 = /[A-Za-z0-9]{56}\.onion/
$s3 = "DECRYPT" nocase
$s4 = "RSA-2048" nocase
$h5 = { 61 A6 90 72 0C F9 AF 14 1E C5 97 8D AC 0F 0F 83 82 9C E7 E6 }
$r6 = /README\..{3,10}/i
$s7 = "ChaCha20" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
FrostBlack_rule_2
Florian Roth
rule FrostBlack_ransomware_2 {
meta:
description = "Detects FrostBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "5fc7ffcf9aa3857eec864427295940c11e1a2c22638e85f6a24fcafca66198e4"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$h1 = { 12 CF EA 48 5B D7 25 25 D1 30 38 32 E9 2C 10 86 F1 8F A }
$s2 = "Do not rename" nocase
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r4 = /[A-Za-z0-9]{56}\.onion/
$h5 = { B7 D8 B7 72 C8 65 6B D8 BA 4A E7 AC DC 4F 70 8 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
FrostBlack_rule_3
Malpedia
rule FrostBlack_ransomware_3 {
meta:
description = "Detects FrostBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "3969eaa953f3d222291997bb0eace54cc104c6ae5c4ffc56607094802b2f6653"
strings:
$h0 = { 09 21 25 E4 36 32 DE FE 06 75 23 4 }
$h1 = { 6C E0 BE 21 91 ED 0A D2 9D 03 89 70 BD 08 4 }
$s2 = "README" nocase
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Garnet
2 rules
.yar
Garnet_rule_1
InQuest
rule Garnet_ransomware_1 {
meta:
description = "Detects Garnet ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "961b310b59ed8f50d1c5c97d359a2a65d13432a47a5f6e9bd85a183d8dd99c01"
strings:
$h0 = { B8 72 42 90 90 B8 39 74 19 B9 D5 A5 8C D0 DF B9 C4 C2 B1 85 6A 16 C }
$r1 = /[A-Za-z0-9]{56}\.onion/
$s2 = "RSA-2048" nocase
$r3 = /[A-Za-z0-9]{56}\.onion/
$s4 = "AES-256" nocase
$h5 = { EC 9C 8F C1 C2 47 FA 29 5D E5 A2 1B FD }
$s6 = "Do not rename" nocase
$h7 = { D2 F9 9F D5 9D B0 53 7D 38 64 D4 BE 9C 4C 09 8 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Garnet_rule_2
YARA-Rules/rules
rule Garnet_ransomware_2 {
meta:
description = "Detects Garnet ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f0808cdf722f2da5671142d662b5045dc3c53a58a3b07f9423b0adb2cd68a4ae"
strings:
$h0 = { 0D 75 B9 C0 DE 0D E6 2B 03 }
$h1 = { 2B 96 E5 EE D0 97 48 39 E7 58 C9 F7 }
$h2 = { F0 DA F8 8F 15 FF AF DF 8E 30 2F 44 C3 }
$s3 = "AES-256" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Granite
1 rules
.yar
Granite_rule_1
YARA-Rules/rules
rule Granite_ransomware_1 {
meta:
description = "Detects Granite ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "eb51bf6db605de0f9c2fba0f7e651d526c7f0debe937775f57041b2a00e8c577"
strings:
$h0 = { B4 65 7F 18 93 B4 AF AF 43 01 87 1 }
$h1 = { 8D 26 87 A9 FA 11 B7 67 C6 52 46 DF B0 EE 1A 9D F }
$h2 = { B3 09 B3 D0 3D 9A 1B 0B F5 45 E4 9B 54 B4 D3 05 42 28 CE 2C }
$s3 = "TOX:" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
HectorSquad
1 rules
.yar
HectorSquad_rule_1
Florian Roth
rule HectorSquad_ransomware_1 {
meta:
description = "Detects HectorSquad ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "a1ad487d62375fb60e8bd49dae8e3e6205fb4cc522215283b3c084d90a78a739"
strings:
$h0 = { AA EC 80 6B A8 2E 27 4E 47 72 BA B5 }
$s1 = "Do not rename" nocase
$h2 = { 39 0A 78 0C 8C 40 4D AD B9 EE B3 D3 }
$s3 = "::::" nocase
$h4 = { 9D F6 4C 37 46 F9 DB 65 }
$s5 = "ENCRYPTED" nocase
$s6 = "PAYMENT" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
HellfireBlack
2 rules
.yar
HellfireBlack_rule_1
RansomwareMonitor
rule HellfireBlack_ransomware_1 {
meta:
description = "Detects HellfireBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c4ea1e65824434962ba7d2094979329147565b70a2608401db6e97a61bcd7790"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s1 = "!!!" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h3 = { 49 FE 41 80 DE 8C CD A1 CB 77 56 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
HellfireBlack_rule_2
VirusTotal
rule HellfireBlack_ransomware_2 {
meta:
description = "Detects HellfireBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "7f0beb9b4ab706cbadf0f595ab4bc75d423cc17e84708c127c8a561d321205e6"
strings:
$h0 = { EC 39 44 0E 9C 3F AB 83 0D D1 C7 20 27 C9 20 35 50 14 1C 7 }
$s1 = "PAYMENT" nocase
$s2 = "Do not modify" nocase
$h3 = { 08 79 90 95 60 73 A2 5B A1 7A 2F 68 AF 30 54 28 83 83 32 E9 C2 6 }
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
HelloKitty
3 rules
.yar
HelloKitty_rule_1
CISA
rule HelloKitty_ransomware_1 {
meta:
description = "Detects HelloKitty ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "31704a0f54596290257ee2e225c6610c0313e7f00093f3bab3ab52c94f1575f0"
strings:
$h0 = { F5 95 B3 40 ED DA 60 BC 8 }
$r1 = /README\..{3,10}/i
$h2 = { 7D 6A F6 C6 F5 00 A0 4C 1D FC C3 89 0B E8 77 01 A }
$h3 = { 5D B0 E2 68 33 98 E1 27 7 }
$h4 = { B8 B1 CC 41 C7 3E 47 6D 8E C1 C }
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
HelloKitty_rule_2
YARA-Rules/rules
rule HelloKitty_ransomware_2 {
meta:
description = "Detects HelloKitty ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "54eaf148eb62de32f0cd1456b7fb95e5ef6389bec27b0b0e28d0442edb970d99"
strings:
$h0 = { 44 6B 56 76 EF F3 96 EC 7E 4D 2 }
$s1 = "AES-256" nocase
$s2 = "README" nocase
$h3 = { DB F7 EB 6E C5 BB 4D 78 37 B1 04 E3 FC 67 D6 89 7D 4 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
HelloKitty_rule_3
Elastic Security
rule HelloKitty_ransomware_3 {
meta:
description = "Detects HelloKitty ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "6de795b498606832f6c16729b10e3c362e213b109315dbb11ebd7cdaae8ccbeb"
strings:
$h0 = { 93 C6 86 D7 BF 37 72 BB C6 72 D6 72 0A E1 }
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s3 = ".onion" nocase
$s4 = "HelloKitty" nocase
$r5 = /[A-Za-z0-9]{56}\.onion/
$r6 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Hex
1 rules
.yar
Hex_rule_1
Elastic Security
rule Hex_ransomware_1 {
meta:
description = "Detects Hex ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "9735d010b7e1f850a5ed715f04967c0821d422901b4460a18cf61109d285553a"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$s1 = "DECRYPT" nocase
$s2 = "YOUR FILES" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Hive
2 rules
.yar
Hive_Ransomware
Community YARA Rules
rule Hive_Ransomware {
meta:
description = "Detects Hive ransomware"
author = "Security Research"
strings:
$s1 = "HOW_TO_DECRYPT" ascii
$s2 = "hive" ascii nocase
$s3 = ".key." ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
Hive_rule_1
VirusTotal
rule Hive_ransomware_1 {
meta:
description = "Detects Hive ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f0e21a344833d8440f2f9f0c00151fdb5b464f0923815b1249ce052d6f110b56"
strings:
$h0 = { C6 A1 75 26 25 6E FA 44 86 22 44 34 8E 24 7C 46 2B F7 C }
$r1 = /[A-Za-z0-9]{56}\.onion/
$s2 = ".onion" nocase
$r3 = /README\..{3,10}/i
$s4 = "RSA-2048" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Hypnos
2 rules
.yar
Hypnos_rule_1
Malpedia
rule Hypnos_ransomware_1 {
meta:
description = "Detects Hypnos ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "1325e6683ed5422edae75e7fb51b24cf4633738b1dd159af36ff5348498cafb7"
strings:
$r0 = /README\..{3,10}/i
$s1 = "ChaCha20" nocase
$s2 = "README" nocase
$r3 = /README\..{3,10}/i
$h4 = { 14 53 1F 4A 2C 8B 06 0A 1 }
$s5 = ".onion" nocase
$r6 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Hypnos_rule_2
VirusTotal
rule Hypnos_ransomware_2 {
meta:
description = "Detects Hypnos ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "2ad004bf84f1a65919a7c562a037ee8bbb09b4d88233f19e830943752db56f7a"
strings:
$s0 = "Hypnos" nocase
$h1 = { 13 A8 80 C6 D6 CC 2A F9 DC 66 31 09 B3 30 A0 41 48 1 }
$r2 = /[A-Za-z0-9]{56}\.onion/
$s3 = ".hypnos" nocase
$h4 = { CE 98 24 F9 23 D2 29 35 34 81 74 A }
$h5 = { FE 1D C5 92 0D 2D 2D 24 34 6B 5A E6 4C 8 }
$s6 = "Do not rename" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
INC v3
3 rules
.yar
INC_v3_rule_1
CISA
rule INC_v3_ransomware_1 {
meta:
description = "Detects INC v3 ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "93acb019aaae1d36c6897c42bcea04951d59c6b5a584d273c4533216f3d34289"
strings:
$h0 = { 96 C5 11 35 F8 45 71 B6 50 43 51 0A 4F EA A0 4C 99 6B A7 24 48 95 1F }
$h1 = { DC DC 38 A4 6A F2 41 A2 F1 59 2E CC B3 F7 C }
$r2 = /README\..{3,10}/i
$s3 = "Do not rename" nocase
$h4 = { 17 90 6F F0 AC 9A 80 E8 71 74 FE B }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
INC_v3_rule_2
CISA
rule INC_v3_ransomware_2 {
meta:
description = "Detects INC v3 ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f1b3399a32442cc9c017e7d38afb6c1e3c4d38da51f291a3925021484f984a42"
strings:
$s0 = "README" nocase
$s1 = "DECRYPT" nocase
$h2 = { 5B F5 5B BD 48 D9 AC 7A 75 16 EB 28 FE 81 0E 7A 2B 7B 4C 2D 7 }
$h3 = { DC 36 92 98 F8 4E 4F 4B 94 1B 88 94 82 33 E7 BE 64 34 68 6A }
$h4 = { AB 82 37 F1 E6 A3 9A 0B 8D 9F C8 5B 20 }
$r5 = /[A-Za-z0-9]{56}\.onion/
$h6 = { 1D B3 12 91 ED 18 FD 36 87 5B 55 E6 5D BC DF 03 2E F9 FE D6 EE DC B }
$h7 = { 72 8A BE DB 3F 29 C2 B8 63 7A }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
INC_v3_rule_3
InQuest
rule INC_v3_ransomware_3 {
meta:
description = "Detects INC v3 ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "a80875a51f4087a2b980ec9f2d558f5442704f4c135c58b267db4e8357ac8642"
strings:
$h0 = { DE 1D CA 57 8A 92 27 1F 89 78 03 9F EA A9 31 79 B9 AC 2B B0 }
$s1 = "PAYMENT" nocase
$s2 = "YOUR FILES" nocase
$r3 = /README\..{3,10}/i
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r5 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
INC/Lynx Affiliate
3 rules
.yar
INC/Lynx_Affiliate_rule_1
RansomwareMonitor
rule INC_Lynx_Affiliate_ransomware_1 {
meta:
description = "Detects INC/Lynx Affiliate ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "95e3f9e2e9229e0bf56d87c92187d7c2efa3227cd5315247b91802eaee735c58"
strings:
$s0 = "TOX:" nocase
$s1 = "DECRYPT" nocase
$r2 = /[A-Za-z0-9]{56}\.onion/
$r3 = /[A-Za-z0-9]{56}\.onion/
$s4 = "ChaCha20" nocase
$s5 = "TOX:" nocase
$s6 = "ENCRYPTED" nocase
$s7 = ".onion" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
INC/Lynx_Affiliate_rule_2
RansomwareMonitor
rule INC_Lynx_Affiliate_ransomware_2 {
meta:
description = "Detects INC/Lynx Affiliate ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "df1e112f98cb8dcb68a90f3093324a723ba3e7eb4d5650fb8a517a93651c1f3c"
strings:
$s0 = "::::" nocase
$h1 = { 1D 79 C5 ED D4 78 F9 12 15 7D EA 7E 8E 34 D }
$r2 = /[A-Za-z0-9]{56}\.onion/
$r3 = /README\..{3,10}/i
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r5 = /[A-Za-z0-9]{56}\.onion/
$s6 = "Do not rename" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
INC/Lynx_Affiliate_rule_3
Elastic Security
rule INC_Lynx_Affiliate_ransomware_3 {
meta:
description = "Detects INC/Lynx Affiliate ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "a583866baad060827a1f267c4c19323e4ee8ccc7509949351e00715984e503d1"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$h1 = { 56 0C 8D 02 B2 AF B3 02 34 69 66 05 13 C7 7E 23 77 C7 18 }
$h2 = { 0B C6 09 12 9C 67 13 3A C1 81 60 96 4B 81 E7 59 BB 2 }
$s3 = "ChaCha20" nocase
$h4 = { 80 C2 45 80 1A A5 EE 25 BE 38 FC 10 0D 7E 1E }
$h5 = { 29 06 AE 44 6C D1 87 76 29 C1 9B 3A 33 8C 21 4A C0 31 B }
$h6 = { 59 0C 0F 3D 14 5A 7C 18 F2 52 FE C0 FC 64 96 99 23 4 }
$h7 = { A1 63 EF 0F 61 E5 12 1B 0E 67 75 80 23 B9 4E 96 F1 38 CE 7C 2D 61 37 4 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Interlock
1 rules
.yar
Interlock_rule_1
CISA
rule Interlock_ransomware_1 {
meta:
description = "Detects Interlock ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "235de1054e2a347903b94314a904e8632fdf4ed9b80787d85902be7ef1b304c8"
strings:
$r0 = /README\..{3,10}/i
$h1 = { 28 5B 16 B9 27 E2 6C 24 F1 34 50 33 5 }
$h2 = { 46 7C 71 A3 DB A6 B5 77 E8 4E E9 C1 77 84 C9 F4 9C 5E 1F B5 }
$r3 = /README\..{3,10}/i
$h4 = { FA 95 0E 57 A0 DC 10 49 6E 71 A0 BA B9 18 74 6E 6B E4 1D 1F 8E 7C 39 D7 }
$h5 = { AA 31 E3 52 A5 41 5C CF 69 C }
$r6 = /[A-Za-z0-9]{56}\.onion/
$r7 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
IotaSec
3 rules
.yar
IotaSec_rule_1
YARA-Rules/rules
rule IotaSec_ransomware_1 {
meta:
description = "Detects IotaSec ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "3df50bf2fa916054aea309ffd595d233897f36bdbb6f649221b7f4e768376ce2"
strings:
$h0 = { 5A DD C6 1B B3 66 BF D9 46 9 }
$h1 = { E9 12 84 9D 1C 26 4A 8E 73 E6 17 20 5C 2B D5 2E E2 F5 43 E0 44 44 5F 5 }
$r2 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
IotaSec_rule_2
CISA
rule IotaSec_ransomware_2 {
meta:
description = "Detects IotaSec ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c728c2c468a1e334d5be418406cc1e47f8f0f484485466dc13405b7f11143a58"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$s1 = "AES-256" nocase
$h2 = { E7 AD 8A F6 18 1F 7F 3B 6F }
$s3 = "!!!" nocase
$h4 = { 3A 75 E0 48 23 92 A4 84 54 A9 21 60 F6 03 33 BA 81 5B AF B3 3 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
IotaSec_rule_3
RansomwareMonitor
rule IotaSec_ransomware_3 {
meta:
description = "Detects IotaSec ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b482bddc09994b32595a3145b0e380578df39a4d6b8ca5d3fec81c63bf13f80c"
strings:
$h0 = { CE 2A D9 B3 EE 51 38 14 16 04 75 BA D5 C1 4B D6 3C FF BC 97 63 }
$s1 = "Do not rename" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s3 = "RECOVER" nocase
$h4 = { 50 1A FC 83 B1 47 5D 36 A2 F9 60 F7 46 EE 0E E8 2B D0 98 A8 BB D4 }
$h5 = { 1B 33 02 F3 70 6A 01 8B EB 93 82 64 02 2E F1 C2 98 F7 BE 20 29 29 F9 8 }
$s6 = "BITCOIN" nocase
$h7 = { 61 4F 03 79 4F D6 F9 74 C4 3B 5A 30 04 AB C7 04 B4 D4 20 1C }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Kappa
1 rules
.yar
Kappa_rule_1
Malpedia
rule Kappa_ransomware_1 {
meta:
description = "Detects Kappa ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "bdb3cb3baf63317beb6e26a8cb1172004e0040d4677e63359653d7efd57fede9"
strings:
$s0 = "::::" nocase
$h1 = { A4 14 9F E1 7D 03 75 DB EB 42 CB DD 13 }
$s2 = "DECRYPT" nocase
$h3 = { D2 60 83 FB 28 6C E1 97 8D 9F 95 2B 46 D5 6A 3B 61 67 33 3 }
$h4 = { C0 16 14 69 95 07 30 9B 7A 6 }
$s5 = ".kappa" nocase
$h6 = { 59 58 BA 25 55 A4 31 AD F2 F7 39 DC 58 1D 8B BF }
$h7 = { 49 98 67 D4 6F 7A 42 E9 C6 A9 69 FF EF 00 00 1 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Leviathan
1 rules
.yar
Leviathan_rule_1
Elastic Security
rule Leviathan_ransomware_1 {
meta:
description = "Detects Leviathan ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "97ec7d00236089ded65881fc2dfa2cddd26965878eb219628a7530476eaa48f5"
strings:
$h0 = { 37 9C 5B 8A 91 AE 37 CA 0D 9E 8A 64 9E F8 8F 5 }
$s1 = ".leviathan" nocase
$r2 = /[A-Za-z0-9]{56}\.onion/
$r3 = /README\..{3,10}/i
$h4 = { 6A 1E B0 96 53 96 1D FA 5D AC B8 5A 52 B2 1A A8 D0 E5 }
$h5 = { 1C 41 9C 41 A5 DB C3 3B CD A7 AF 31 A4 05 70 56 05 C2 00 A4 81 92 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Lich
1 rules
.yar
Lich_rule_1
YARA-Rules/rules
rule Lich_ransomware_1 {
meta:
description = "Detects Lich ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "5ddf4779693ed2e67d6caff1ee879e29faf39de29b95ec4e91ff357005d7fa2c"
strings:
$s0 = "Do not rename" nocase
$s1 = "Do not modify" nocase
$s2 = "YOUR FILES" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
LockBit 3.0
1 rules
.yar
LockBit3_Ransomware
Community YARA Rules
rule LockBit3_Ransomware {
meta:
description = "Detects LockBit 3.0 ransomware artifacts"
author = "Security Research"
date = "2024-01-01"
strings:
$s1 = "lockbit" ascii nocase
$s2 = ".lockbit" ascii
$s3 = "restore-my-files.txt" ascii nocase
$mutex = "Global\\{BEF461A8-" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
Locky
3 rules
.yar
Locky_rule_1
InQuest
rule Locky_ransomware_1 {
meta:
description = "Detects Locky ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "918dbea554d86ed3c709e8f4a8fd89be50ddc796aba7addf76bbee90a98c4abd"
strings:
$h0 = { 6C 19 24 D5 5B D4 97 99 26 25 C7 09 8D C3 03 3C B4 EC F1 7A 6B 03 5 }
$r1 = /README\..{3,10}/i
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s3 = "Do not rename" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Locky_rule_2
YARA-Rules/rules
rule Locky_ransomware_2 {
meta:
description = "Detects Locky ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "596a112792a99cd3e4131d72b0bf9a23cdd2e480019c21c43ec1996468f0530a"
strings:
$s0 = "Locky" nocase
$r1 = /[A-Za-z0-9]{56}\.onion/
$s2 = "BITCOIN" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Locky_rule_3
Elastic Security
rule Locky_ransomware_3 {
meta:
description = "Detects Locky ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f0e50054f3ef5e74ee72ec3d8e80e1cfcd13cbf231659b1c45f3c9683039aa4d"
strings:
$h0 = { CB 60 E7 46 C8 BA 4B 43 09 F9 52 23 95 4C 71 6B 82 4D 64 85 D7 E }
$r1 = /README\..{3,10}/i
$r2 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Mallox v2
2 rules
.yar
Mallox_v2_rule_1
RansomwareMonitor
rule Mallox_v2_ransomware_1 {
meta:
description = "Detects Mallox v2 ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "ac65a4392b472684fe9308e23284820061cfb3b34c5faf8ca4996a923134eef1"
strings:
$h0 = { 14 06 DB 28 1C BC 6F B4 91 4B E3 BD 0D 99 17 38 90 6E 20 73 8E 6D 3B }
$r1 = /README\..{3,10}/i
$h2 = { EE E5 04 96 2E EB D1 E6 80 DD FA C7 2B 4 }
$r3 = /README\..{3,10}/i
$s4 = "Do not modify" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Mallox_v2_rule_2
YARA-Rules/rules
rule Mallox_v2_ransomware_2 {
meta:
description = "Detects Mallox v2 ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "62ff582aa679b0e3062e3cc0a5ba08a61f55f6c23e0d0cfd6138772bbb690b43"
strings:
$s0 = "RSA-2048" nocase
$h1 = { 3D 24 8A 13 3E 81 45 8E 64 3C B4 AB 16 B7 1B 3C FB }
$s2 = "Do not modify" nocase
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s4 = "DECRYPT" nocase
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r6 = /[A-Za-z0-9]{56}\.onion/
$h7 = { AA 58 D6 1E 4E F4 F7 71 EF 5F }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Maze
1 rules
.yar
Maze_Ransomware
Community YARA Rules
rule Maze_Ransomware {
meta:
description = "Detects Maze ransomware"
author = "Security Research"
strings:
$s1 = "DECRYPT-FILES" ascii
$s2 = "maze" ascii nocase
$s3 = "ChaCha" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
Medusa v2
3 rules
.yar
Medusa_v2_rule_1
YARA-Rules/rules
rule Medusa_v2_ransomware_1 {
meta:
description = "Detects Medusa v2 ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "7b6028f5b631ec714ed14af748216ed58d73bca8d6a44f16d2220804a4304801"
strings:
$s0 = "RECOVER" nocase
$r1 = /[A-Za-z0-9]{56}\.onion/
$h2 = { FE AF B6 C9 21 C2 52 C6 35 8C 1C 31 B3 22 08 AC 08 86 2F 87 94 F }
$s3 = "ChaCha20" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Medusa_v2_rule_2
Florian Roth
rule Medusa_v2_ransomware_2 {
meta:
description = "Detects Medusa v2 ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "6e0793edfc902d10498c63ec1a9701b5777b0c21578a7eb48970ef6275bfa829"
strings:
$s0 = ".onion" nocase
$r1 = /[A-Za-z0-9]{56}\.onion/
$s2 = ".medusa_v2" nocase
$h3 = { 22 04 99 A5 67 35 2E 96 3C B2 22 EA 14 1D 24 C2 93 66 79 FA A6 0F 20 }
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r5 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Medusa_v2_rule_3
InQuest
rule Medusa_v2_ransomware_3 {
meta:
description = "Detects Medusa v2 ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "06efe8febadbcbb5b45ac1c520d623c53321fd3310b49fbf91af83de568c2f8f"
strings:
$s0 = "DECRYPT" nocase
$h1 = { 23 D1 21 C9 B3 62 CA 3F 66 3A 38 }
$h2 = { FE 78 D9 7B 7A A1 0C 00 FD 60 3A }
$h3 = { 21 51 3F 11 3B 7C E2 6A 2D 38 69 C4 BF A4 7D 5D 34 31 48 C2 65 6 }
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r5 = /[A-Za-z0-9]{56}\.onion/
$r6 = /[A-Za-z0-9]{56}\.onion/
$h7 = { 42 70 53 95 E7 91 64 15 5D 30 0F }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
MegaCortex
2 rules
.yar
MegaCortex_rule_1
Elastic Security
rule MegaCortex_ransomware_1 {
meta:
description = "Detects MegaCortex ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "8023f14969a20df7ca2c25e8a38a10751c9f696626ffe7e46326419a73a38347"
strings:
$r0 = /README\..{3,10}/i
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h2 = { D6 D3 51 B3 90 24 11 44 64 DE }
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s4 = "MegaCortex" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
MegaCortex_rule_2
Malpedia
rule MegaCortex_ransomware_2 {
meta:
description = "Detects MegaCortex ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "a57230ba3345a98db12df1b29f34ae4ae5b7481bfe06bc45dfb6cd5156cc44f0"
strings:
$h0 = { 5C 34 EF B4 B6 B6 DB C3 6F 4C 76 9C 03 9D B8 05 AA 32 23 11 15 FC 4 }
$s1 = "ChaCha20" nocase
$s2 = "!!!" nocase
$r3 = /README\..{3,10}/i
$h4 = { 0C C9 32 FD D5 79 C2 2F 1B D8 2F 1B 75 F6 EE 3 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
MetaEncryptor
3 rules
.yar
MetaEncryptor_rule_1
InQuest
rule MetaEncryptor_ransomware_1 {
meta:
description = "Detects MetaEncryptor ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "e38145560263c1e028f1ab4d7bea498e86769277ce709bb39823090a91b210dc"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h1 = { F3 7F CE 4A 14 44 F8 0F 97 BC 7C EE BE 8F 32 A1 54 F7 EA 87 8A 93 F }
$h2 = { AE E9 30 34 6D 6D 6C 53 5F 7C 66 C9 8D 49 B3 45 }
$s3 = "YOUR FILES" nocase
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r5 = /[A-Za-z0-9]{56}\.onion/
$r6 = /[A-Za-z0-9]{56}\.onion/
$s7 = "Do not modify" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
MetaEncryptor_rule_2
Malpedia
rule MetaEncryptor_ransomware_2 {
meta:
description = "Detects MetaEncryptor ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "540b27f95dcc2ceb5a4a84b9534cb12371424784e5e344a25aa60e0b48a1a978"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h1 = { BB 07 81 21 5B AB 5D 79 7B 39 90 06 C8 B1 3C 92 50 DD 1 }
$s2 = "TOX:" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
MetaEncryptor_rule_3
Elastic Security
rule MetaEncryptor_ransomware_3 {
meta:
description = "Detects MetaEncryptor ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f0156a2fd73bfa288cdce515c6ecdf4beab944c6f3ee33b1d58ef21464a3d54f"
strings:
$s0 = "ENCRYPTED" nocase
$h1 = { 06 99 61 EF 43 57 50 D9 34 7A 86 04 FB 3F 64 3 }
$s2 = "README" nocase
$r3 = /[A-Za-z0-9]{56}\.onion/
$r4 = /README\..{3,10}/i
$s5 = "README" nocase
$s6 = "MetaEncryptor" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Midnight
3 rules
.yar
Midnight_rule_1
RansomwareMonitor
rule Midnight_ransomware_1 {
meta:
description = "Detects Midnight ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "471a20f04108df9745472463dcfafb281448cb69c9687ecf2f0563bbef82a74e"
strings:
$s0 = "Do not modify" nocase
$s1 = ".onion" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Midnight_rule_2
VirusTotal
rule Midnight_ransomware_2 {
meta:
description = "Detects Midnight ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c93a01d6afe2c8145d59a604094022f9fd226e3a2d01f4c2ddd78fdb35b5493c"
strings:
$h0 = { A4 4E 45 56 15 E8 8A C9 29 19 5C B4 }
$s1 = "RECOVER" nocase
$h2 = { 7E 3B C9 A7 CF 83 1B E3 2 }
$s3 = "ENCRYPTED" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Midnight_rule_3
Malpedia
rule Midnight_ransomware_3 {
meta:
description = "Detects Midnight ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b744b99feccb165b517e2bf84aa23efd981adf66cf49b8a67aeb0ee371e1bc8d"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s1 = "::::" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h3 = { B8 72 5F F4 BF 0E FA B1 A5 9D FA FB 37 A1 36 D0 B4 60 52 }
$r4 = /README\..{3,10}/i
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h6 = { 89 AC 18 07 04 3A 28 FB C5 9C 39 4A D0 C6 25 C6 91 0C 4B }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Mjolnir
2 rules
.yar
Mjolnir_rule_1
Florian Roth
rule Mjolnir_ransomware_1 {
meta:
description = "Detects Mjolnir ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "af8393d66093cb9787d8f16c8dd533d49b0a659325945cf73d9c3b0c6bd0fa35"
strings:
$h0 = { 7D 47 70 4F B0 6A CE 5E 10 C3 78 D7 63 64 }
$r1 = /README\..{3,10}/i
$s2 = "::::" nocase
$h3 = { 0A 4F FE E4 09 45 9A 74 16 C4 51 68 E2 4A 72 43 B }
$s4 = "Mjolnir" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Mjolnir_rule_2
RansomwareMonitor
rule Mjolnir_ransomware_2 {
meta:
description = "Detects Mjolnir ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c0aaaea27f409474af03fd0105c29933d4ffc990598d4de2cd944d9ace2fd91c"
strings:
$s0 = "ENCRYPTED" nocase
$h1 = { 93 93 C3 F9 9B DD 97 50 A1 10 F9 28 BA F5 55 65 96 }
$h2 = { B5 CF FC B9 64 77 56 D3 92 }
$s3 = ".mjolnir" nocase
$s4 = ".mjolnir" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
MonsoonUnit
1 rules
.yar
MonsoonUnit_rule_1
Florian Roth
rule MonsoonUnit_ransomware_1 {
meta:
description = "Detects MonsoonUnit ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "3a9a4f96d2d8492464afeb9f667917538c9aa72499427dba40db6b75c4ec42e5"
strings:
$s0 = "!!!" nocase
$h1 = { 4D 6C C4 1B BA 08 E2 E2 B4 FD 83 9E F8 0E D9 E5 94 F6 72 F1 C1 53 B }
$h2 = { 06 D0 E8 DD 46 F4 88 50 7E 04 A0 52 D0 34 78 35 CC E7 40 72 E9 EE B }
$h3 = { B0 BA EB 01 A0 DC 92 DC 45 C7 2E 7 }
$h4 = { E1 8E B6 6E 9A 6E 75 A3 5E DB 7F 3F 89 27 0A 9D 46 06 1 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
NW Generation
1 rules
.yar
NW_Generation_rule_1
RansomwareMonitor
rule NW_Generation_ransomware_1 {
meta:
description = "Detects NW Generation ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "aee2ca727ff8180145e5e8b7dbde49c46a2c28bf2d7dbc8d253964d3dff7aa9f"
strings:
$h0 = { 32 6F 92 12 DD FD A7 58 69 94 9F BE 64 2C 53 C6 5E A1 }
$r1 = /README\..{3,10}/i
$h2 = { BF 1F 8E DE D1 4F 02 89 2E B3 B4 E9 5 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
NebulaWare
3 rules
.yar
NebulaWare_rule_1
VirusTotal
rule NebulaWare_ransomware_1 {
meta:
description = "Detects NebulaWare ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c48d4cd3a9daa7f5a4bcdc8d376764a71a7428ac20bc781595704ad694c02d51"
strings:
$h0 = { 07 E1 28 BC 29 50 B8 F0 78 53 16 }
$h1 = { C9 86 6A D7 16 C6 E7 0E 9A C6 F1 5B 47 43 4B D1 0D 49 D }
$h2 = { F8 44 40 87 11 76 03 D0 32 C9 9F 7A 61 28 82 24 0B 9F 2E 08 02 }
$h3 = { 52 C0 E8 52 A1 0C CB 0D E7 9A 74 A5 EB 60 3E 42 0C 19 9A DE }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
NebulaWare_rule_2
InQuest
rule NebulaWare_ransomware_2 {
meta:
description = "Detects NebulaWare ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c5d5cb04cd5846a1d248b9dc5444708036f7c8a92e85979228dc47c526f96b62"
strings:
$s0 = "RECOVER" nocase
$h1 = { 75 18 3D 6E 8A 17 26 43 D0 A4 E }
$r2 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
NebulaWare_rule_3
VirusTotal
rule NebulaWare_ransomware_3 {
meta:
description = "Detects NebulaWare ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "565a49f3018d01f6268240b23ebf012c35b29a119e5967bd002281d72c5bfcac"
strings:
$h0 = { 84 C2 A2 4B 94 2B 53 F5 52 7B 36 9F BE 11 56 19 B0 53 }
$h1 = { 20 3E F0 99 E1 09 44 BE 23 C1 EF C2 9B 8 }
$s2 = ".onion" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Nova
3 rules
.yar
Nova_rule_1
Florian Roth
rule Nova_ransomware_1 {
meta:
description = "Detects Nova ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "9580f4c604d329342d4698381baea8e779c3ead74cb04cb3f7f9985eadbf1d50"
strings:
$s0 = "ENCRYPTED" nocase
$h1 = { F7 F8 6A 03 13 D1 B2 15 B4 }
$r2 = /[A-Za-z0-9]{56}\.onion/
$s3 = ".onion" nocase
$s4 = "ENCRYPTED" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Nova_rule_2
Florian Roth
rule Nova_ransomware_2 {
meta:
description = "Detects Nova ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f73d4eb58d2c58497dec2c13d0d827cea34d1da5f98027bdddeb7c84dd11bd90"
strings:
$h0 = { 52 37 0E D7 D4 4B C4 3C 38 EA 27 9C 6 }
$r1 = /[A-Za-z0-9]{56}\.onion/
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s3 = "RECOVER" nocase
$r4 = /README\..{3,10}/i
$h5 = { 48 40 01 16 CD 0C BD 8C 0B D6 09 95 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Nova_rule_3
Florian Roth
rule Nova_ransomware_3 {
meta:
description = "Detects Nova ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "bcb224af702cea3ee7b7b3520dd294cf8535c600063dd149076ebb09aa44e516"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h1 = { 93 83 8F 29 2A 52 B7 81 D6 D8 05 13 2A 3E 06 14 95 47 D8 }
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r3 = /[A-Za-z0-9]{56}\.onion/
$s4 = "RECOVER" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
OpalBit
3 rules
.yar
OpalBit_rule_1
Florian Roth
rule OpalBit_ransomware_1 {
meta:
description = "Detects OpalBit ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b4825eb94055a9b779f016b6f14ff491954eff1d49cf0402803df2135f43a4ce"
strings:
$r0 = /README\..{3,10}/i
$r1 = /README\..{3,10}/i
$s2 = "OpalBit" nocase
$h3 = { A6 82 92 7F 06 5A 5A 49 C6 0C CE 24 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
OpalBit_rule_2
Elastic Security
rule OpalBit_ransomware_2 {
meta:
description = "Detects OpalBit ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "770e44d09c8a84cd265a6a865d96742bcc1bb3d33748a278c917a53ecc6ae858"
strings:
$h0 = { 6D 2A 54 7D 35 7E F4 30 08 }
$s1 = "::::" nocase
$s2 = "TOX:" nocase
$h3 = { 6E 00 8F 0F BA 53 F9 A6 19 62 7C B8 93 4 }
$r4 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
OpalBit_rule_3
Malpedia
rule OpalBit_ransomware_3 {
meta:
description = "Detects OpalBit ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "7f5436cae96dfad2dbbf1932a7ec6aac08436c51789c8d6c35b99b5b6101ec29"
strings:
$h0 = { 21 60 8D 64 99 2B 7E FD }
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r2 = /README\..{3,10}/i
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s4 = "AES-256" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
OracleData
3 rules
.yar
OracleData_rule_1
Elastic Security
rule OracleData_ransomware_1 {
meta:
description = "Detects OracleData ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "6213d92ade9221d221c3b27d8c6d2104fefc33cae7021cbb3796fc9594555195"
strings:
$s0 = "README" nocase
$h1 = { B6 27 C1 26 1B DF DC 18 E8 C }
$r2 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
OracleData_rule_2
Florian Roth
rule OracleData_ransomware_2 {
meta:
description = "Detects OracleData ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "0bd3681d2762482db1eee99d20fab70ca503593431a48226738d1a3187171671"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r1 = /[A-Za-z0-9]{56}\.onion/
$s2 = "PAYMENT" nocase
$s3 = "PAYMENT" nocase
$h4 = { B2 CA 01 F7 D6 2F 73 8A 84 75 A6 42 41 DD DB 2F }
$s5 = "BITCOIN" nocase
$h6 = { 7D CC 82 85 12 45 52 38 86 09 5F CA B7 96 E4 18 5B }
$s7 = "BITCOIN" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
OracleData_rule_3
RansomwareMonitor
rule OracleData_ransomware_3 {
meta:
description = "Detects OracleData ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "e0e66c23f45f05e17508610ca607af120f4dab438c5ee42e25fe7b3365af66fc"
strings:
$s0 = ".onion" nocase
$s1 = "README" nocase
$h2 = { 10 30 14 D5 BC 4D ED 6E F7 2C CF D1 88 7D 9F 60 4A 59 FE 55 4D }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Pearl
2 rules
.yar
Pearl_rule_1
CISA
rule Pearl_ransomware_1 {
meta:
description = "Detects Pearl ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "70aeb181ead5dcb349b697b83e8dfccdeb2514060cded082cda3f084ae6327da"
strings:
$h0 = { E8 E0 53 D3 7F 1B E6 AE EA 12 00 E7 1F 43 }
$h1 = { EC F7 E2 62 1F C4 A7 C6 }
$h2 = { 7E 50 E7 0D DE 08 86 BC 7C E1 F0 03 8D 9C 0E BA 6C 83 1E A4 B6 15 0C A }
$s3 = "PAYMENT" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Pearl_rule_2
RansomwareMonitor
rule Pearl_ransomware_2 {
meta:
description = "Detects Pearl ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "4ae452b53937fdb14d53efdcd893d0377596ecc7934b78675a42345fbed3643e"
strings:
$h0 = { FF 4D 6B 12 A0 3F D5 C6 04 11 13 4A C3 B6 6E C }
$s1 = "::::" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s3 = "README" nocase
$h4 = { CB CD A6 3B 40 0F 2A C6 41 E8 05 AD 4B 9D 77 EE D8 B }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
PerseusCrew
2 rules
.yar
PerseusCrew_rule_1
Elastic Security
rule PerseusCrew_ransomware_1 {
meta:
description = "Detects PerseusCrew ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "e85a55b5ebe92570de3495367a702c80822c4cbd6a22f194badee2ba2afdc8fb"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h1 = { DA F6 D2 B7 47 E1 B9 A2 33 D1 54 7E 0A FE 46 7A A6 7D B5 9C 16 69 3C }
$h2 = { 11 27 4A 5E 23 98 9B A0 08 83 68 73 C5 01 DA 37 14 E9 }
$s3 = "Do not rename" nocase
$h4 = { 9C 26 D2 A7 E0 6A A0 ED D5 AF 64 D6 03 B }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
PerseusCrew_rule_2
CISA
rule PerseusCrew_ransomware_2 {
meta:
description = "Detects PerseusCrew ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "2d93104efb2472256b96e84ac1da22f87eb8027cd9e4547185d6181143c4a06b"
strings:
$s0 = "PAYMENT" nocase
$h1 = { 45 55 22 88 55 12 D4 71 60 FA 22 BA 41 2 }
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h4 = { 41 C7 A4 0B 73 4C 40 31 A5 EB 2F 4F 0A D0 16 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Phobos
1 rules
.yar
Phobos_rule_1
InQuest
rule Phobos_ransomware_1 {
meta:
description = "Detects Phobos ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "33995b178079f93269a02a4940f454ee9c10f7a940468dd211fbd16e1806c791"
strings:
$s0 = "AES-256" nocase
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h2 = { 9D 24 02 F7 A7 5B 79 CD 6 }
$h3 = { DC 30 BD 5C 08 5C 21 12 A0 79 55 E8 A8 }
$r4 = /README\..{3,10}/i
$h5 = { 4C BE EE 98 EC D2 1E DC BD 93 2F AE DE 3F CB }
$r6 = /[A-Za-z0-9]{56}\.onion/
$h7 = { 7C F8 7C 08 AE 00 7B 7F FE }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Play
1 rules
.yar
Play_Ransomware
Community YARA Rules
rule Play_Ransomware {
meta:
description = "Detects Play ransomware"
author = "Security Research"
strings:
$s1 = "ReadMe.txt" ascii
$s2 = ".PLAY" ascii
$s3 = "ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
Pluto
1 rules
.yar
Pluto_rule_1
YARA-Rules/rules
rule Pluto_ransomware_1 {
meta:
description = "Detects Pluto ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "33593287ecf56f422718d8fba8e6c99d143829769b22125205ad56f6b1471781"
strings:
$h0 = { AC B1 22 47 15 30 28 EA E7 C1 75 1F 7D CC 60 E2 C1 B }
$h1 = { 85 AE 1D E3 9A FE 51 75 6C AD 16 47 B3 AA 23 }
$s2 = "DECRYPT" nocase
$h3 = { 6B 70 DB CE 7F 1A C5 BC E6 D6 28 BB 9B BF CA F }
$s4 = "YOUR FILES" nocase
$h5 = { 54 A9 C9 30 1D E5 25 68 BB C9 67 22 79 18 22 2 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
REvil/Sodinokibi
1 rules
.yar
REvil_Sodinokibi
Community YARA Rules
rule REvil_Sodinokibi {
meta:
description = "Detects REvil/Sodinokibi ransomware"
author = "Security Research"
strings:
$s1 = "sodinokibi" ascii nocase
$s2 = "Welcome. Again." ascii
$s3 = "expand 32-byte k" ascii
$cfg = "{"pk":" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
Ragnar Locker
1 rules
.yar
Ragnar_Locker_rule_1
Florian Roth
rule Ragnar_Locker_ransomware_1 {
meta:
description = "Detects Ragnar Locker ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "744cb3774a84dfeae7423a9be044badc3cd2fff4c72922d291e3f0a80fe458e5"
strings:
$s0 = "TOX:" nocase
$s1 = "DECRYPT" nocase
$s2 = "PAYMENT" nocase
$s3 = ".ragnar_locker" nocase
$s4 = "AES-256" nocase
$h5 = { 3D 2A DA 5D 6E 7F 16 D6 09 60 91 76 4A 13 E9 35 B9 63 }
$s6 = "DECRYPT" nocase
$h7 = { 25 8C 11 47 6A 28 4B 03 1B A6 94 3E CE 38 6B 02 2B 9B DB 87 35 CF D }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
RansomCortex
3 rules
.yar
RansomCortex_rule_1
InQuest
rule RansomCortex_ransomware_1 {
meta:
description = "Detects RansomCortex ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "05ecdaa1807e5f212b72510b600362916afcd6baff398283f7a05f9802d5b3dc"
strings:
$s0 = "PAYMENT" nocase
$r1 = /[A-Za-z0-9]{56}\.onion/
$h2 = { D7 32 82 B1 5E F5 15 78 D }
$s3 = "ENCRYPTED" nocase
$s4 = "Do not modify" nocase
$h5 = { DC F7 AF 1B 28 C3 41 41 D }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
RansomCortex_rule_2
RansomwareMonitor
rule RansomCortex_ransomware_2 {
meta:
description = "Detects RansomCortex ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "9978a522893525e064fbb18d2fcf3480c74309377f2fce84c0bdcf3e655c8b39"
strings:
$s0 = "RansomCortex" nocase
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s2 = "Do not rename" nocase
$h3 = { B1 0C FB A6 06 8C 97 E3 EF 2F 0A 70 A }
$s4 = "AES-256" nocase
$h5 = { 50 B4 6C 12 6C 64 CA 58 A2 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
RansomCortex_rule_3
CISA
rule RansomCortex_ransomware_3 {
meta:
description = "Detects RansomCortex ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f4b41ee7566b2906f1d9624b4669940488b14e7f4f89ce30024d1a8b7fef57e1"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$s1 = "!!!" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Rhysida
1 rules
.yar
Rhysida_rule_1
Elastic Security
rule Rhysida_ransomware_1 {
meta:
description = "Detects Rhysida ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "18d5e778dac4f405d8971fa31bd6dead63dcc43d93a93c63f73f45fde9a002f9"
strings:
$h0 = { 9D DC 53 3E E0 1E D7 D2 32 62 EB 41 }
$s1 = "Do not rename" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h3 = { 19 80 E0 DA 95 96 66 4E }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Rigel
2 rules
.yar
Rigel_rule_1
InQuest
rule Rigel_ransomware_1 {
meta:
description = "Detects Rigel ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b7ca41557c11131e17ce2f406ef876e47b619e7bda3d8c95b5ea290bc311a23d"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r1 = /README\..{3,10}/i
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Rigel_rule_2
Malpedia
rule Rigel_ransomware_2 {
meta:
description = "Detects Rigel ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f0b6f98e9e0548ff47ff55d3f52e44c76a5dee9d96e8941a2208c46acd1f8e43"
strings:
$h0 = { 3E FB FE 3A 88 7C F2 99 D5 1E 07 73 03 23 3C 2D 82 8C 2F 67 E }
$s1 = "RSA-2048" nocase
$s2 = "ChaCha20" nocase
$h3 = { 48 4A 48 2D A0 EB 86 C7 53 36 28 AA 4C 34 CF 9D B }
$h4 = { 27 41 09 9E 93 6D 01 63 4D D6 10 B }
$s5 = ".onion" nocase
$s6 = "Do not modify" nocase
$r7 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Ryuk
1 rules
.yar
Ryuk_Ransomware
Community YARA Rules
rule Ryuk_Ransomware {
meta:
description = "Detects Ryuk ransomware"
author = "Security Research"
strings:
$s1 = "RyukReadMe" ascii
$s2 = "Gentlemen!" ascii
$s3 = "UNIQUE_ID_DO_NOT_REMOVE" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
STORMOUS
1 rules
.yar
STORMOUS_rule_1
RansomwareMonitor
rule STORMOUS_ransomware_1 {
meta:
description = "Detects STORMOUS ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "ab3dcc3adf5b49ee7dd2cc6e82f88c925769c83b517215f853f037831d00c04e"
strings:
$s0 = ".onion" nocase
$r1 = /README\..{3,10}/i
$h2 = { 7C D7 72 73 22 53 E7 46 AD 47 }
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h4 = { E7 57 DD AA 5E F3 43 E5 88 61 0B 4C 1A 7F 27 5C 6E AD B6 D1 52 85 0C E }
$h5 = { CA 79 37 31 24 64 F5 81 67 93 F }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
ScorpionWare
3 rules
.yar
ScorpionWare_rule_1
Florian Roth
rule ScorpionWare_ransomware_1 {
meta:
description = "Detects ScorpionWare ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "112d3deee1b921168d7c1b4c2f27d2062fa1101aeec2b27339a2b93eb3638377"
strings:
$s0 = "AES-256" nocase
$s1 = "YOUR FILES" nocase
$s2 = "Do not modify" nocase
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s5 = "ENCRYPTED" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
ScorpionWare_rule_2
RansomwareMonitor
rule ScorpionWare_ransomware_2 {
meta:
description = "Detects ScorpionWare ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "981af184244ebfd25c7e3d4f04565768d193ffe49e25844543403919d5059b77"
strings:
$s0 = "DECRYPT" nocase
$s1 = ".onion" nocase
$r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r3 = /README\..{3,10}/i
$s4 = ".onion" nocase
$s5 = "::::" nocase
$s6 = "DECRYPT" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
ScorpionWare_rule_3
CISA
rule ScorpionWare_ransomware_3 {
meta:
description = "Detects ScorpionWare ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "a225f25a271aac7b6b28d927d46b9dca66004c60bbc81689e88236d773546821"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$h1 = { D8 52 6B 7A 5E 72 13 C0 93 31 4C 71 B3 4 }
$h2 = { 1C E5 F1 10 F8 54 E4 36 D7 AD 32 62 5A 83 14 7C 75 5 }
$s3 = "ENCRYPTED" nocase
$s4 = "README" nocase
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Shard
2 rules
.yar
Shard_rule_1
CISA
rule Shard_ransomware_1 {
meta:
description = "Detects Shard ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "2d7a8830af3d0f82bd28ef3ecff4ee817e54f57db3e686ae787f0b9343359b16"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$s1 = ".onion" nocase
$h2 = { E2 D1 0B 8F 08 AD DA C8 FD 7 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Shard_rule_2
VirusTotal
rule Shard_ransomware_2 {
meta:
description = "Detects Shard ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "d0c73749c050dc6ddc7481453ded5573880e7082a45e2fca36b9df90df79ed94"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h2 = { F5 2F F0 8A 34 59 E7 13 2F 27 5A 36 34 CC 3 }
$h3 = { 7F 51 0D E5 02 E6 A4 BB FC C3 D2 5 }
$r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s5 = "::::" nocase
$h6 = { 3B 2A C5 54 D0 49 CC 1A D2 48 81 3F }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
SingularityWare
3 rules
.yar
SingularityWare_rule_1
Elastic Security
rule SingularityWare_ransomware_1 {
meta:
description = "Detects SingularityWare ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "6387d159e226d86283ba28a3663c29638e367a53560f87065e4545429746b4d9"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$s1 = ".singularityware" nocase
$r2 = /README\..{3,10}/i
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r4 = /[A-Za-z0-9]{56}\.onion/
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s6 = ".singularityware" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
SingularityWare_rule_2
Elastic Security
rule SingularityWare_ransomware_2 {
meta:
description = "Detects SingularityWare ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "e99152b882d9f15137c9defa02ef1bb7302e695fb01523fbb84cf40633ca8ddd"
strings:
$s0 = "RECOVER" nocase
$h1 = { AF 05 6D 45 27 A7 7C ED 7C FE 63 80 18 FD 02 D5 BF 66 00 01 7A 4E 57 18 }
$s2 = "README" nocase
$h3 = { F8 5A 67 02 54 5D EC 2F 80 B7 97 AB 09 E8 C2 B0 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
SingularityWare_rule_3
Malpedia
rule SingularityWare_ransomware_3 {
meta:
description = "Detects SingularityWare ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "4e92d72e37d8add715243a3c08d2fc16e307be1ae1865b421526249a6dddc371"
strings:
$s0 = "AES-256" nocase
$r1 = /README\..{3,10}/i
$r2 = /[A-Za-z0-9]{56}\.onion/
$r3 = /README\..{3,10}/i
$r4 = /README\..{3,10}/i
$r5 = /[A-Za-z0-9]{56}\.onion/
$s6 = "RSA-2048" nocase
$h7 = { BE F3 31 95 E8 42 5D 7F 88 2C }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
SplinterHack
1 rules
.yar
SplinterHack_rule_1
Elastic Security
rule SplinterHack_ransomware_1 {
meta:
description = "Detects SplinterHack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b5ec0ff70d0130b159368c06f0301de784b30f0ac863df4ca957d208ff42c344"
strings:
$h0 = { 06 5C 70 11 F4 A1 B3 30 EB 5B CF F4 DE 2A 8 }
$h1 = { 77 DF B2 9F 39 32 55 21 DF 63 8A C2 B2 B5 72 62 4B 24 }
$h2 = { 6E 84 63 6C 6F 5B 96 18 86 26 69 65 90 3C FE 5 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Stingray
1 rules
.yar
Stingray_rule_1
YARA-Rules/rules
rule Stingray_ransomware_1 {
meta:
description = "Detects Stingray ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "461ccf76124cabc4852db1f1dcb078e5ed5fc252c64be16404f56845fb6b0384"
strings:
$h0 = { F8 C2 84 E1 FE 86 35 57 6E 6D BC D2 17 F5 04 B8 5E CF C2 26 FE ED }
$h1 = { 96 49 AF DA 2D 2A DE 65 D9 D5 02 9D 5F D6 4A }
$h2 = { 2F 19 64 1B 9A 33 AC 48 39 E2 70 38 82 72 89 C }
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Storm
3 rules
.yar
Storm_rule_1
Malpedia
rule Storm_ransomware_1 {
meta:
description = "Detects Storm ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "781c0c78e5d42a317758e35ce376564cda4eea8c3892a9fd767a780f6355d1bf"
strings:
$s0 = ".storm" nocase
$r1 = /README\..{3,10}/i
$h2 = { 63 49 26 C0 86 F8 7E 7B 2C A7 1F D0 48 C1 7C 9D 4E 65 14 BA 8F C }
$r3 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Storm_rule_2
Malpedia
rule Storm_ransomware_2 {
meta:
description = "Detects Storm ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "9d7607be353a2c334b4733801878466629d4c076504abca50e2063654929af69"
strings:
$h0 = { 89 E4 EA C3 7F CD 3F 08 B5 20 93 BC 9A C2 51 BE 6F 3D }
$h1 = { D3 E3 BF 76 61 02 3C F1 BE }
$s2 = "AES-256" nocase
$s3 = "RECOVER" nocase
$h4 = { B0 BA 67 41 71 5A D5 9B AA 5 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Storm_rule_3
Florian Roth
rule Storm_ransomware_3 {
meta:
description = "Detects Storm ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "13f595f2c07bc96a1f030b39f6cf19a676061931b4a7798baf58ccfd0b354213"
strings:
$r0 = /README\..{3,10}/i
$s1 = "README" nocase
$h2 = { E6 6C B1 11 51 DB EE 45 72 45 AB C8 86 3A }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
SyndicateSquad
2 rules
.yar
SyndicateSquad_rule_1
Elastic Security
rule SyndicateSquad_ransomware_1 {
meta:
description = "Detects SyndicateSquad ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "0e8f259a2c7cd69b06dcbac1080c45f2f6bba2d96f110cbc5d69ec0669da940f"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$r1 = /[A-Za-z0-9]{56}\.onion/
$s2 = "ENCRYPTED" nocase
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h4 = { 5D FD 9D 30 FD B2 51 87 67 01 15 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
SyndicateSquad_rule_2
VirusTotal
rule SyndicateSquad_ransomware_2 {
meta:
description = "Detects SyndicateSquad ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "22072133a6686352272913785174a0ad9053f89e494966f1480ed50af7eeb216"
strings:
$r0 = /README\..{3,10}/i
$s1 = ".syndicatesquad" nocase
$h2 = { 8C 47 8B FE BA B3 62 55 2B A1 }
$s3 = "YOUR FILES" nocase
$s4 = "ENCRYPTED" nocase
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s6 = "RECOVER" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
ThetaCrew
3 rules
.yar
ThetaCrew_rule_1
RansomwareMonitor
rule ThetaCrew_ransomware_1 {
meta:
description = "Detects ThetaCrew ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "6e39b1255ad1a58e6795e046f328289ce53fd8886fe3f0a827d22c66f3772893"
strings:
$s0 = "Do not modify" nocase
$h1 = { AE 23 C6 3B 57 B8 33 61 CA 75 D }
$h2 = { E5 8A 82 23 E1 C0 E4 EB A5 E6 C3 }
$h3 = { 3A 9F 26 E2 95 9C D5 21 9F C4 AD B6 49 C0 0B 47 31 D }
$h4 = { 43 D9 40 BD AA 8F 0E D1 F9 90 }
$r5 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
ThetaCrew_rule_2
YARA-Rules/rules
rule ThetaCrew_ransomware_2 {
meta:
description = "Detects ThetaCrew ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "75780be4ad12faa2f02d39635332b71140273c9645ffdf9a3208b88f553f2709"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r2 = /[A-Za-z0-9]{56}\.onion/
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
ThetaCrew_rule_3
InQuest
rule ThetaCrew_ransomware_3 {
meta:
description = "Detects ThetaCrew ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "19cf6e7ca937d4a699622a60c667978a34e7195f30b239ef5dd60981dec57e13"
strings:
$h0 = { 9F 6F CE B7 D6 03 C7 5D 47 FD 40 12 }
$r1 = /[A-Za-z0-9]{56}\.onion/
$h2 = { ED F4 0D FA 53 6C BF 35 48 7A 30 FA 2D F4 3A ED 52 7D 4F }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
ThreeAM
3 rules
.yar
ThreeAM_rule_1
RansomwareMonitor
rule ThreeAM_ransomware_1 {
meta:
description = "Detects ThreeAM ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c99a858933e81760d9fe14bff6101423b0865cdeb70ecb1ab038323a2cd98565"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h1 = { FC 19 4B 12 11 3C 76 99 EA A3 A9 3D 3D 10 10 56 9 }
$s2 = "BITCOIN" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
ThreeAM_rule_2
RansomwareMonitor
rule ThreeAM_ransomware_2 {
meta:
description = "Detects ThreeAM ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f90da3670a7b8fc30a575ffd0838f8c03b3b504a5b208371cb3514874574cfc6"
strings:
$s0 = ".threeam" nocase
$h1 = { 9C 52 FF 92 57 7D D5 85 70 74 68 DD 21 A8 FF 9A 80 5E 44 6C }
$r2 = /[A-Za-z0-9]{56}\.onion/
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s4 = "DECRYPT" nocase
$h5 = { E2 F0 79 FF 2F EA 33 81 }
$r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
ThreeAM_rule_3
Malpedia
rule ThreeAM_ransomware_3 {
meta:
description = "Detects ThreeAM ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "79922531aea3da719745a4c43bfdaeb89cc82f13e1c2f7081cf5e8c5f51ee7d6"
strings:
$h0 = { 40 C0 79 A1 5D CA 63 58 FE 51 8C 4F A4 91 A6 F4 8F 5D 12 65 86 FC 12 }
$s1 = "!!!" nocase
$h2 = { 65 5E 7A F4 96 28 37 17 7D BC 19 C9 99 26 C2 D4 1E 5F A2 AA 65 99 72 24 }
$s3 = "TOX:" nocase
$s4 = "PAYMENT" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Trinity
3 rules
.yar
Trinity_rule_1
YARA-Rules/rules
rule Trinity_ransomware_1 {
meta:
description = "Detects Trinity ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "a86ea46bdcb1d690281672e3de72297d2d58264d09708a8c7725b67743fd4fd4"
strings:
$h0 = { A4 9D DE A7 F3 46 19 2E 90 DE 77 04 92 09 6F }
$s1 = "YOUR FILES" nocase
$s2 = "BITCOIN" nocase
$s3 = "DECRYPT" nocase
$h4 = { 74 29 16 CE 64 89 7A 2B 5A 87 C6 C1 37 41 5E 32 B8 AB 5D 2B F }
$s5 = "Do not modify" nocase
$h6 = { 1C 2E 3D 9A 0F E7 F2 AE 3C A3 94 87 56 D9 A3 BC C2 23 F9 F }
$s7 = "PAYMENT" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Trinity_rule_2
Florian Roth
rule Trinity_ransomware_2 {
meta:
description = "Detects Trinity ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "a41d8eee07c4b325c981d3fd49aaa4b1f97ab1f2a1bfaff13186f662dafa30f0"
strings:
$h0 = { 44 85 4F D6 80 1C 12 74 }
$h1 = { FE A4 54 BE EF AD 6E 4E 7E D8 72 18 5E 96 CA FF 8F A3 81 2D 7C 28 92 89 }
$h2 = { 0E 76 BF C9 D0 ED A7 1B 2A A }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Trinity_rule_3
Florian Roth
rule Trinity_ransomware_3 {
meta:
description = "Detects Trinity ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "f1a38a63d5ee417d9ad3213a8a633ea859d5ed4555d6435eb492a7f0071903d0"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$h1 = { 72 1D 20 E2 44 ED 2F EA 32 C8 18 81 B }
$s2 = "Do not modify" nocase
$s3 = "Do not modify" nocase
$s4 = "::::" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
TwilightRed
2 rules
.yar
TwilightRed_rule_1
VirusTotal
rule TwilightRed_ransomware_1 {
meta:
description = "Detects TwilightRed ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "baff5cc7068a8c23c33a15f8063ff7cb1a8dead9ed7d79d155c40617486836d7"
strings:
$r0 = /README\..{3,10}/i
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h2 = { C5 29 BE 34 15 1D 71 F7 F1 99 3F A6 D4 F5 2 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
TwilightRed_rule_2
RansomwareMonitor
rule TwilightRed_ransomware_2 {
meta:
description = "Detects TwilightRed ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "99f27e82098a58c6a2c529335e0d1c6c2f50026b72b2974329db13bddcf6b83a"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$r1 = /[A-Za-z0-9]{56}\.onion/
$h2 = { 93 BD CA AA A4 A7 BA 30 2 }
$h3 = { B3 B4 44 AD 32 A8 12 ED C4 D0 F1 92 C }
$h4 = { C6 BC 80 CC E3 07 DF 16 5C AC 8C 82 22 F4 85 A7 2C E }
$r5 = /README\..{3,10}/i
$s6 = "RECOVER" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Umbra
1 rules
.yar
Umbra_rule_1
CISA
rule Umbra_ransomware_1 {
meta:
description = "Detects Umbra ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "b921d4ce19e4ca9f53c13064432af9c0f1d712dfb90d43afe074dcf0b7f2c1de"
strings:
$h0 = { 71 90 5D 5B 58 23 6B C2 B5 BF C3 FB 00 A7 14 E3 E7 18 }
$r1 = /[A-Za-z0-9]{56}\.onion/
$h2 = { F3 F1 D2 11 15 7B 46 DE 17 CA E8 B }
$s3 = "::::" nocase
$s4 = "Do not modify" nocase
$h5 = { 0A C4 D4 1D F1 BB DC 26 D1 F0 48 DE C2 B8 F3 }
$h6 = { CB BE 15 F2 F5 03 DA 0F E2 2E 9B 0 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
Underground
1 rules
.yar
Underground_rule_1
YARA-Rules/rules
rule Underground_ransomware_1 {
meta:
description = "Detects Underground ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "212f1dcbccacd0cb1a308c23e9b9c5aaafb5948513ed33e73a414d8a4c6773d4"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$s1 = "TOX:" nocase
$h2 = { C8 44 E0 FF 97 9E D9 16 CD 1 }
$h3 = { 99 22 8E E3 74 FA 1E 41 86 8F D7 F5 26 F6 }
$r4 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
UtopiaTeam
2 rules
.yar
UtopiaTeam_rule_1
InQuest
rule UtopiaTeam_ransomware_1 {
meta:
description = "Detects UtopiaTeam ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "e7cde8cb3bbbd103bbc34073adb4c40de43e203cbfc68fed7c5a08a4bf33fadf"
strings:
$s0 = "!!!" nocase
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h2 = { C2 7E DD 5C 55 74 78 13 79 91 4D 8B AC 88 78 42 52 B }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
UtopiaTeam_rule_2
Elastic Security
rule UtopiaTeam_ransomware_2 {
meta:
description = "Detects UtopiaTeam ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "974a76506cf0c3f86c54bd9c8657f3bde84a3a0bf89f7ca0c33615b7a7b1f7b1"
strings:
$s0 = "Do not modify" nocase
$h1 = { A5 73 84 67 40 BE FE B4 EE F3 EF 1E 2F 0 }
$h2 = { B7 04 F2 1B 16 B3 B0 7E 12 9B E9 4C A4 15 5A 29 80 A7 DD CA 44 D2 EE }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
WannaCry
2 rules
.yar
WannaCry_rule_1
Malpedia
rule WannaCry_ransomware_1 {
meta:
description = "Detects WannaCry ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "9b1cc0ec62ac4dfbb9d181182d30020242fc64e2a76aa6abe74eee7b7587c838"
strings:
$r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s1 = "RECOVER" nocase
$r2 = /[A-Za-z0-9]{56}\.onion/
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h4 = { 18 EE 0C 47 CC 36 53 76 68 4 }
$s5 = "DECRYPT" nocase
$s6 = "RSA-2048" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
WannaCry_rule_2
Elastic Security
rule WannaCry_ransomware_2 {
meta:
description = "Detects WannaCry ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "2269ec5b17897a849d08fd2259b62464dd3da07bb1f42c5ea24a6ce4500164a9"
strings:
$h0 = { 7B 0E 80 C2 ED BB E3 8B 24 8B 88 2A F6 7F 88 17 EC 21 7F 0B F7 5 }
$s1 = "ChaCha20" nocase
$r2 = /README\..{3,10}/i
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$r4 = /[A-Za-z0-9]{56}\.onion/
$r5 = /[A-Za-z0-9]{56}\.onion/
$h6 = { CE A6 75 15 E7 73 02 E9 4A 3B 9C 7 }
$r7 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
YakuzaTeam
2 rules
.yar
YakuzaTeam_rule_1
RansomwareMonitor
rule YakuzaTeam_ransomware_1 {
meta:
description = "Detects YakuzaTeam ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "833f366155daa38d2fec9867c450c8dd528187f5ecdc4c8b5d855110954fb2be"
strings:
$r0 = /[A-Za-z0-9]{56}\.onion/
$r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$h2 = { D7 E0 E1 06 ED D8 0A 14 49 75 D9 6E 48 52 3C 44 }
$h3 = { F4 29 27 41 DC B7 83 B1 F9 C1 79 F7 73 C6 77 60 A }
$s4 = "BITCOIN" nocase
$h5 = { 3D DF 1B 8E A1 0C 9B 94 B3 B }
$h6 = { 1E 2B 10 19 DB F8 07 38 B }
$h7 = { DD 1B 79 D7 7F A9 65 EC DF }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
YakuzaTeam_rule_2
CISA
rule YakuzaTeam_ransomware_2 {
meta:
description = "Detects YakuzaTeam ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "c0286b6bb3e48990e043ebae5f1ff2acd5e66daaf1c6ec91ff0ab8c1e57eda53"
strings:
$s0 = ".yakuzateam" nocase
$s1 = "::::" nocase
$r2 = /README\..{3,10}/i
$r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
$s4 = "RECOVER" nocase
$r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
ZenithBlack
3 rules
.yar
ZenithBlack_rule_1
Elastic Security
rule ZenithBlack_ransomware_1 {
meta:
description = "Detects ZenithBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "587be3243b11ac67bb498a9b51a77f0948807a11efbef6e821edf69fc3a0ba69"
strings:
$h0 = { 17 81 BF 44 94 92 63 4A }
$h1 = { 69 92 5C F9 B8 E5 D0 C6 15 93 9D A7 80 29 FF FE 24 C3 68 A4 0 }
$s2 = "PAYMENT" nocase
$s3 = "TOX:" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}
ZenithBlack_rule_2
Florian Roth
rule ZenithBlack_ransomware_2 {
meta:
description = "Detects ZenithBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "eb55a2f76478870dabf206b99c43241acd44306fad5713be1be289a47109c7a7"
strings:
$h0 = { 2B 4D E9 7A 20 27 E8 64 EF 8A BC 8C 0C 76 DF D3 72 C5 54 F7 4C E3 5 }
$h1 = { 4D 23 FE C1 AD 90 DC EE 1C 5 }
$h2 = { C3 88 BC 4C FB 01 19 10 0C D }
$r3 = /[A-Za-z0-9]{56}\.onion/
$r4 = /README\..{3,10}/i
$h5 = { D5 D8 77 8E 50 19 D8 8F EE E9 0B 97 06 38 A6 B2 E3 11 1 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
ZenithBlack_rule_3
InQuest
rule ZenithBlack_ransomware_3 {
meta:
description = "Detects ZenithBlack ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "7bad5d158843c5b212c66b6853e5fb70b8aac552bd72a72350217a3c0162b550"
strings:
$h0 = { 98 49 6F E5 18 F3 EF A7 05 4C C4 DB 21 69 57 }
$h1 = { 07 6F F3 1A 92 83 65 E8 2B 1B 68 D4 AE 7F 64 36 A1 }
$r2 = /README\..{3,10}/i
$r3 = /README\..{3,10}/i
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
4 of them
}
Zeus
2 rules
.yar
Zeus_rule_1
VirusTotal
rule Zeus_ransomware_1 {
meta:
description = "Detects Zeus ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "bb8f2976bf8679580703f024b0c1895a0044f4a8faaec8653b721b93481bf71b"
strings:
$h0 = { 44 83 7C 8D 7C 2C B8 8A 1A 0D 0D 7A 38 B3 75 }
$h1 = { AA F1 7E 54 80 89 0B 4C CF 57 4D 10 56 47 }
$h2 = { 6A AD C2 5E E9 48 E0 BF 25 2D 72 BE 4D ED 79 D1 9D 04 F3 3C 57 4C B8 49 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
3 of them
}
Zeus_rule_2
InQuest
rule Zeus_ransomware_2 {
meta:
description = "Detects Zeus ransomware"
author = "RansomwareMonitor"
date = "2026-03-06"
hash = "fd962a51fedfcf7595182682f359faddcb040aa18b5143d0d7149b91f2fd2e15"
strings:
$h0 = { 2C 02 C6 EF 80 A4 2C 52 8C A3 F7 DA FC 13 }
$h1 = { F5 3A D8 0B 86 8F 3F 70 70 8D D6 7A 7C 44 77 52 3A 94 41 F2 EF 96 7E 0A }
$r2 = /[A-Za-z0-9]{56}\.onion/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
2 of them
}