{"group":"bianlian","count":1,"rules":[{"rule_name":"bianlian.yar","rule_text":"rule BianLian_Go_Ransomware {\n\tmeta:\n\t\tdescription = \"Detects BianLian ransomware\"\n\t\tauthor = \"BlackBerry Threat Research Team\"\n\t\tdate = \"2022-09-13\"\n\t\tlicense = \"This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to the BlackBerry Research & Intelligence Team\"\n\tstrings:\n\t\t$s1 = \"trimpath=/home/jack/Projects/project1/\"\n\t\t$s2 = \"common.BuildPath\"\n\t\t$s3 = \"common.GetBlocksAmount\"\n\t\t$s4 = \"common.GetDrives\"\n\t\t$s5 = \"common.GetBlockSize\"\n\t\t$s6 = \"common.FileRename\"\n\t\t$s7 = \"common.GetFileExtension\"\n\t\t$s8 = \"exec.(*Cmd).Start.func1\"\n\t\t$s9 = \"exec.(*Cmd).Start.func2\"\n\t\t$s10 = \"exec.(*Cmd).Start.func3\"\n\t\t$s11 = \"CryptBlocks\"\n\tcondition:\n\t\tuint16(0) == 0x5a4d and all of them\n}","sha256":"1e742307b6b68c826fae1c4595e806c22c3642f17ac87de095a7370b235da98d","byte_size":854,"updated_at":"2026-06-24 05:15:59"}]}