{"group":"akira","count":1,"rules":[{"rule_name":"Akira.yar","rule_text":"/*\nAkira ransomware\n*/\n\n\nrule Akira\n{\n    meta:\n        author = \"rivitna\"\n        family = \"ransomware.akira.windows\"\n        description = \"Akira ransomware Windows payload\"\n        severity = 10\n        score = 100\n\n    strings:\n        $s0 = \"\\x00--encryption_path\\x00\" ascii wide\n        $s1 = \"\\x00--share_file\\x00\" ascii wide\n        $s2 = \"\\x00--encryption_percent\\x00\" ascii wide\n        $s3 = \"\\x00-fork\\x00\" ascii\n        $s4 = \"\\x00-localonly\\x00\" ascii wide\n        $s5 = \"\\x00Failed to read share files\\x00\" ascii wide\n        $s6 = \":\\\\akira\\\\asio\\\\include\\\\\" ascii\n        $s7 = \"\\x00write_encrypt_info error: \\x00\" ascii\n        $s8 = \"\\x00encrypt_part error: \\x00\" ascii\n        $s9 = \"\\x00Detected number of cpus = \\x00\" ascii\n        $s10 = \"\\x00No path to encrypt\\x00\" ascii\n        $s11 = \"Paste this link - https://akira\" ascii\n        $s12 = \"\\x00Trend Micro\\x00\" wide\n        $s13 = \"Failed to make full encrypt\" ascii wide\n        $s14 = \"Failed to make spot encrypt\" ascii wide\n        $s15 = \"Failed to make part encrypt\" ascii wide\n        $s16 = \"Failed to write header\" ascii wide\n        $s17 = \"file rename failed. System error:\" ascii wide\n        $s18 = \"Number of thread to folder parsers = \\x00\" ascii\n        $s19 = \"Number of threads to encrypt = \\x00\" ascii\n        $s20 = \"Number of thread to root folder parsers = \\x00\" ascii\n        $s21 = \"Failed to read share files!\\x00\" ascii\n\n        $h0 = { 41 BA 05 00 00 00 41 80 FB 32 44 0F 42 D0 33 D2 48 8B C?\n                49 F7 F2 4C 8B C8\n                ( B? 02 00 00 00 [0-4] 41 B? 04 00 00 00 |\n                  41 B? 04 00 00 00 [0-4] B? 02 00 00 00 )\n                41 80 FB 32 44 0F 42 C? 41 8B C8 4? 0F AF C? 48 2B F9 33 D2\n                48 8B C7 49 F7 F2 }\n        $h1 = { C7 45 ?? 03 00 00 00 80 7D ?? 31 76 07 C7 45 ?? 05 00 00 00\n                0F B6 45 ?? 48 0F AF 45 ?? 48 C1 E8 02\n                48 B? C3 F5 28 5C 8F C2 F5 28 48 F7 E? 48 89 ?? 48 C1 E8 02 }\n\n    condition:\n        (((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or\n         (uint32(0) == 0x464C457F)) and\n        (\n            (7 of ($s*)) or\n            (1 of ($h*))\n        )\n}","sha256":"24207df8c80a94b34244c54d4a19f1994e024ad12eb81da8c641820e7dda0309","byte_size":2177,"updated_at":"2026-06-24 05:15:59"}]}