{"group":"lorenz","count":1,"rules":[{"rule_name":"sekoia.yar","rule_text":"rule ransomware_win_lorenz {\n    meta:\n        id = \"6936cc61-efe5-4d13-b76f-e808ab331457\"\n        version = \"1.1\"\n        description = \"Detect the Lorenz ransomware\"\n        author = \"Sekoia.io\"\n        creation_date = \"2022-02-10\"\n        classification = \"TLP:CLEAR\"\n        reference = \"https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware\"\n        \n    strings:\n        $s1 = \".onion\" ascii\n        $s2 = \"---===Lorenz. Welcome. Again. ===--\" ascii\n        $s3 = \".Lorenz.sz40\" ascii\n        \n        $url1 = \"egypghtljedbs3x3ui45tfhosakzb376epl7baq2ruzfyewcypswhgqd.onion\" ascii\n        $url2 = \"lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion\" ascii\n        $url3 = \"vsoonropylvbfqnq2urk7uhaxn7afiwgldnj3ntc743awigojm4p7lid.onion\" ascii\n        $url4 = \"kpb3ss3vwvfejd4g3gvpvqo6ad7nnmvcqoik4mxt2376yu2adlg5fwyd.onion\" ascii\n        $url5 = \"vldkrmiqriwlgm2wuxg42nvc6kqsdzsdhsybn27hyn34d66465fxz7id.onion\" ascii\n        \n    condition:\n        uint16(0) == 0x5a4d\n        and filesize > 900KB\n        and filesize < 1200KB\n        and (all of ($s*) or 1 of ($url*))\n}","sha256":"db78c385e3af5618aa43394458fe4195ff2afe0922bd6cb5f22dbd481b2ca2de","byte_size":1101,"updated_at":"2026-06-24 05:16:02"}]}