{"group":"hellokitty","count":1,"rules":[{"rule_name":"hellokitty.yar","rule_text":"rule ransom_Linux_HelloKitty_0721 {\n   meta:\n      description = \"rule to detect Linux variant of the Hello Kitty Ransomware\"\n      author = \"Christiaan @ ATR\"\n      date = \"2021-07-19\"\n      Rule_Version = \"v1\"\n      malware_type = \"ransomware\"\n      malware_family = \"Ransom:Linux/HelloKitty\"\n      hash1 = \"ca607e431062ee49a21d69d722750e5edbd8ffabcb54fa92b231814101756041\"\n      hash2 = \"556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed\"\n\n   strings:\n      $v1 = \"esxcli vm process kill -t=force -w=%d\" fullword ascii\n      $v2 = \"esxcli vm process kill -t=hard -w=%d\" fullword ascii\n      $v3 = \"esxcli vm process kill -t=soft -w=%d\" fullword ascii\n      $v4 = \"error encrypt: %s rename back:%s\" fullword ascii\n      $v5 = \"esxcli vm process list\" fullword ascii\n      $v6 = \"Total VM run on host:\" fullword ascii\n      $v7 = \"error lock_exclusively:%s owner pid:%d\" fullword ascii\n      $v8 = \"Error open %s in try_lock_exclusively\" fullword ascii\n      $v9 = \"Mode:%d  Verbose:%d Daemon:%d AESNI:%d RDRAND:%d \" fullword ascii\n      $v10 = \"pthread_cond_signal() error\" fullword ascii\n      $v11 = \"ChaCha20 for x86_64, CRYPTOGAMS by <appro@openssl.org>\" fullword ascii\n\n   condition:\n      ( uint16(0) == 0x457f and filesize < 200KB and ( 8 of them )\n      ) or ( all of them )\n}","sha256":"b783d0f356c633b264bd4777a98b887cdb559c2437e846c1bc13c945c9cee55d","byte_size":1301,"updated_at":"2026-06-24 05:16:02"}]}