{"group":"cactus","count":1,"rules":[{"rule_name":"cactus.yar","rule_text":"rule CactusRule \n{ \n    strings: \n        $cactusStr = “CaCtUs.ReAdMe.txt” \n        $cactusHex = { 43 61 43 74 55 73 2e 52 65 41 64 4d 65 2e 74 78 74 } \n    condition: \n        $cactusStr or $cactusHex \n} \n\nrule CactusRansomware {\n\tmeta:\n\t\tdescription = \"rule to detect Cactus Ransomware\"\n\t\tauthor = \"ShadowStackRe.com\"\n\t\tdate = \"2024-01-18\"\n\t\tRule_Version = \"v1\"\n\t\tmalware_type = \"ransomware\"\n\t\tmalware_family = \"Cactus\"\n\t\tLicense = \"MIT License, https://opensource.org/license/mit/\"\n\t\tHash = \"9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a,c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a\"\n\tstrings:\n\t\t$strReadMe = \"cAcTuS.readme.txt\" wide\n\t\t$strLockExt = \".cts\" wide\n\t\t$strTskName = \"Updates Check Task\" wide\n\t\t$strTskName2 = \"Google Service Update\"\n\t\t$strNTUSer = \"ntuser.dat\" wide\n\t\t$strNTUSer2 = \"ntuser.log\" wide\n\t\t$strBuilderName = \"cactusbuilder\"\n\tcondition:\n\t\tuint16(0) == 0x5A4D and ($strReadMe and $strLockExt) and (1 of ($strTskName*)) and (1 of ($strNTUSer*)) or ($strBuilderName)\n}","sha256":"4b3006f34f07c8aef349ab8f3dd76b02c2529d5676f36ce081598bea4f6aaac1","byte_size":1030,"updated_at":"2026-06-24 05:16:00"}]}