{"group":"ailock","count":1,"rules":[{"rule_name":"AILock.yar","rule_text":"rule CyberCrime_AiLock_AiLockRansomware {\n    meta:\n        description = \"Detection rule for AiLock Ransomware\"\n        author = \"gmrdkd@s2w.inc\"\n        created_at = \"2025-04-03\"\n        version = \"v1.0\"\n        reference = \"-\"\n\n        threat_actor = \"AiLock\"\n        category = \"Malware\"\n        malware_name = \"AiLock Ransomware\"\n        severity = \"High\"\n\n        hash1 = \"2a728d98ae8280efeaa674783181f3fa\"\n\n    strings:\n        $string1 = \".AiLock\" ascii wide nocase\n        $string2 = \"Start Log:%d Network:%d Selfdelete:%d Path=%s\" ascii wide nocase\n        $string3 = \"Total time of encryption: %llu seconds\" ascii wide nocase\n        $string4 = \"read=%u kbytes, write=%u kbytes, opened=%u, encPS=%u, totalFound=%u, TotalEncrypted=%u\" ascii wide nocase\n        $string5 = \"Single instance only Exit\" ascii wide nocase\n\n        $marker1 = {BE BA AD AB}\n        $marker2 = {B5 00 6B B1}\n        $marker3 = {00 B5 B1 6B}\n        $marker4 = {DE AD BA BE}\n        $marker5 = {BA BE DE AD}\n\n    condition:\n        uint16(0) == 0x5A4D\n        and all of ($marker*)\n        and 2 of ($string*)\n}","sha256":"0f14780652095cbcd4c10277db1b929297565c712d0433b673090a7f56ce2beb","byte_size":1097,"updated_at":"2026-06-24 05:15:59"}]}