{"group":"lockbit2","count":1,"rules":[{"rule_name":"lockbit.yar","rule_text":"/*\nLockBit ransomware (v1)\n*/\n\nrule LockBit_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.lockbit\"\n        description = \"Detects LockBit v1 ransom note (RESTORE-MY-FILES.txt)\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $note = \"RESTORE-MY-FILES.txt\" ascii nocase\n        $brand = \"LockBit Ransomware\" ascii nocase\n        $ext = \".abcd\" ascii\n\n    condition:\n        2 of them\n}\n\nrule LockBit_PE\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.lockbit\"\n        description = \"Detects LockBit v1 ransomware executable\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $s1 = \"RESTORE-MY-FILES\" ascii wide\n        $s2 = \"LockBit\" ascii wide\n        $s3 = \"\\x00--path\\x00\" ascii\n\n    condition:\n        uint16(0) == 0x5A4D and 2 of them\n}","sha256":"f85615c5719914b065c3add0a1b0d748637f30c42c5a85b441beb2749a218271","byte_size":892,"updated_at":"2026-06-24 05:16:02"}]}