{"group":"doppelpaymer","count":1,"rules":[{"rule_name":"doppelpaymer.yar","rule_text":"/*\nDoppelPaymer ransomware\n*/\n\nrule DoppelPaymer_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.doppelpaymer\"\n        description = \"Detects DoppelPaymer ransom note\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $s1 = \"DOPPELPAYMER\" ascii nocase\n        $s2 = \"ALLOW_TO_DECRYPT.txt\" ascii nocase\n        $s3 = \"doppelpaymer\" ascii nocase\n\n    condition:\n        any of them\n}\n\nrule DoppelPaymer_PE\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.doppelpaymer\"\n        description = \"Detects DoppelPaymer ransomware executable\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $s1 = \"DOPPELPAYMER\" ascii wide\n        $s2 = \"BitPaymer\" ascii nocase\n        $s3 = \"--help\" ascii\n        $s4 = \"--path\" ascii\n        $s5 = \"doppelpaymer\" ascii nocase\n\n    condition:\n        uint16(0) == 0x5A4D and 2 of them\n}","sha256":"d230f84c0b16e7b563c8fe6339e35c851176c28e6d8d44519aa42c440ecd93fd","byte_size":960,"updated_at":"2026-06-24 05:16:01"}]}