{"group":"incransom","count":1,"rules":[{"rule_name":"Inc.yar","rule_text":"/*\nInc. ransomware\n*/\n\n\nrule Inc\n{\n meta:\n author = \"rivitna\"\n family = \"ransomware.inc\"\n description = \"Inc. ransomware Windows payload\"\n severity = 10\n score = 100\n\n strings:\n $h0 = { 6A 00 6A 00 6A 18 8D [3-4] 5? 68 28 C0 53 00 }\n $h1 = { 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 [0-16] 68 9F 01 12 00\n [0-8] C7 44 24 ?? 2E 00 5C 00 }\n $h2 = { 6A 20 FF 35 [4] FF 15 [8-12] 8A 4? 1F 80 2? F8 24 3F 0C 40\n 88 4? 1F }\n\n $s0 = \"\\x00Q:\\\\\\x00W:\\\\\\x00E:\\\\\\x00R:\\\\\\x00T:\\\\\\x00Y:\\\\\\x00U:\\\\\" wide\n $s1 = \"PGh0bWw+DQoJPGhlYWQ+DQoJCTx0aXRsZT5JbmMuIFJhbnNvbXdhcmU8\" ascii\n $s2 = \"\\\\background-image.jpg\\x00\" wide\n $s3 = \"\\x00--lhd\\x00\" wide\n $s4 = \"\\x00--ens\\x00\" wide\n $s5 = \"\\x00--sup\\x00\" wide\n $s6 = \" delete shadow copies from %c:/ \" wide\n $s7 = \"\\x00[+] Start encryption of\" wide\n $s8 = \"[+] Encrypting: %s\\n\" wide\n $s9 = \"[+] Found drive: %s\" wide\n $s10 = \" [+] Mounted %s\\n\" wide\n $s11 = \" [-] Failed to mount %s Error: %d\\n\" wide\n $s12 = \"[*] Count of arguments: %d\\n\" wide\n $s13 = \"[-] Please, add \\\"/\\\" to the end of directory!\\n\" wide\n $s14 = \"[*] Settings:\\n\" wide\n $s15 = \" [%s] Stop using process\\n\" wide\n $s16 = \" [%s] Encrypt network shares\\n\" wide\n $s17 = \" [%s] Load hidden drives\\n\\n\" wide\n $s18 = \"[*] Loading hidden drives...\\n\" wide\n $s19 = \"[*] Starting full encryption in 5s\" wide\n $s20 = \"[+] Start sending note to printers...\\n\" ascii\n $s21 = \"[+] Count of printers: %d\\n\" ascii\n\n condition:\n ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and\n (\n (7 of ($s*)) or\n ((1 of ($h*)) and (3 of ($s*)))\n )\n}","sha256":"e90d68a21f02b00cfac59d2bbc93d35bf85708b862529bcee9b86091b103a2cf","byte_size":1836,"updated_at":"2026-06-24 05:16:02"}]}