{"group":"cuba","count":1,"rules":[{"rule_name":"cuba.yar","rule_text":"/*\nCuba ransomware\n*/\n\nrule Cuba_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.cuba\"\n        description = \"Detects Cuba ransomware ransom note\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $s1 = \".cuba\" ascii nocase\n        $s2 = \"HOW-TO-DECRYPT.txt\" ascii nocase\n        $s3 = \"cuba.barzini\" ascii nocase\n        $s4 = \"cubahitaramos\" ascii nocase\n\n    condition:\n        any of them\n}\n\nrule Cuba_PE\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.cuba\"\n        description = \"Detects Cuba ransomware executable\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $s1 = \"\\x00Cuba-Locker\\x00\" ascii\n        $s2 = \"\\x00CUBA\\x00\" ascii wide\n        $s3 = \"HOW-TO-DECRYPT.txt\" ascii\n\n    condition:\n        uint16(0) == 0x5A4D and 2 of them\n}","sha256":"998f557c87deaa1f098b41a156cfbf1713a9a2338affa0954f6f169e360c0001","byte_size":893,"updated_at":"2026-06-24 05:16:00"}]}