{"group":"alphv","count":1,"rules":[{"rule_name":"sekoia.yar","rule_text":"rule ransomware_win_blackcat {\n    meta:\n        id = \"873355f7-3942-4171-9df7-f524bb6b6903\"\n        description = \"Detect the BlackCat ransomware (Windows version)\"\n        author = \"Sekoia.io\"\n        creation_date = \"2022-01-19\"\n        classification = \"TLP:CLEAR\"\n        version = \"1.1\"\n        \n    strings:\n        $s1 = \"desktop_image::set_desktop_wallpaper=\" ascii\n        $s2 = \"C:\\\\Users\\\\Public\\\\All Usersdeploy_note_and_image_for_all_users=\" ascii\n        $s3 = \"propagate::none\" ascii\n        $s4 = \"propagate::failed=\" ascii\n        $s5 = \"propagate::ok=\" ascii\n        $s6 = \"query_status_process::ok=\" ascii\n        $s7 = \"enum_dependent_services::ok=\" ascii\n        $s8 = \"enum_dependent_services::error=\" ascii\n        $s9 = \"try_stop=\" ascii\n        $s10 = \"try_stop::ok=\" ascii\n        $s11 = \"try_stop::failed=\" ascii\n        $s12 = \"stop=\" ascii\n        $s13 = \"dependent_service_name=\" ascii\n        $s14 = \"kill_all=\" ascii\n        $s15 = \"detach=\" ascii\n        \n    condition:\n        uint16(0)==0x5A4D\n        and filesize > 2MB and filesize < 4MB\n        and all of them\n}","sha256":"bd22ad831b67d86a6fc821fdcbdc0b83cf136b410ce2acacf15356fc637670e9","byte_size":1102,"updated_at":"2026-06-24 05:15:59"}]}