{"group":"diavol","count":1,"rules":[{"rule_name":"diavol.yar","rule_text":"/*\nDiavol ransomware (TrickBot group)\n*/\n\nrule Diavol_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.diavol\"\n        description = \"Detects Diavol ransomware ransom note\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $s1 = \"README_FOR_DECRYPT.txt\" ascii nocase\n        $s2 = \"DIAVOL\" ascii nocase\n        $s3 = \".lock64\" ascii\n\n    condition:\n        any of them\n}\n\nrule Diavol_PE\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.diavol\"\n        description = \"Detects Diavol ransomware executable\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $s1 = \"DIAVOL\" ascii wide\n        $s2 = \".lock64\" ascii\n        $s3 = \"README_FOR_DECRYPT\" ascii\n\n    condition:\n        uint16(0) == 0x5A4D and 2 of them\n}","sha256":"d52dd06748c5ec76c22b7feb7c0f3712d83d72326e32510919a52a3dfabcdba5","byte_size":856,"updated_at":"2026-06-24 05:16:01"}]}