{"group":"cicada3301","count":1,"rules":[{"rule_name":"cicada3301.yar","rule_text":"/*\nCICADA3301 ransomware (Rust, ESXi)\n*/\n\nrule Cicada3301_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.cicada3301\"\n        description = \"Detects CICADA3301 ransomware ransom note\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $s1 = \"CICADA3301\" ascii nocase\n        $s2 = \"RECOVER-\" ascii\n        $s3 = \"cicada3301\" ascii nocase\n        $s4 = \"cicada.onion\" ascii nocase\n\n    condition:\n        any of them\n}\n\nrule Cicada3301_PE\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.cicada3301\"\n        description = \"Detects CICADA3301 ransomware binary\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $s1 = \"CICADA3301\" ascii wide\n        $s2 = \"esxi\" ascii nocase\n        $s3 = \"vim-cmd\" ascii\n\n    condition:\n        (uint16(0) == 0x5A4D or uint32(0) == 0x464C457F) and 2 of them\n}","sha256":"49f06e3e6834b8be508875e1021c48ddf1f0e759699892639f96cadd03d7d277","byte_size":937,"updated_at":"2026-06-24 05:16:00"}]}