{"group":"nevada","count":1,"rules":[{"rule_name":"nevada.yar","rule_text":"import \"pe\"\n\nrule EXE_Ransomware_Nevada_Feb2024 {\n    meta:\n        Description = \"Detects Nevada ransomware aka Nokoyawa ransomware 2.1\"\n        author = \"Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell\"\n        Reference = \"https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant\"\n        Hash = \"855f411bd0667b650c4f2fd3c9fbb4fa9209cf40b0d655fa9304dcdd956e0808\"\n        date = \"2024-02-06\"\n        yarahub_author_twitter = \"@RustyNoob619\"\n        yarahub_reference_md5 = \"99549bcea63af5f81b01decf427519af\"\n        yarahub_uuid = \"99b37e62-5c57-4656-9342-48fe46f4b368\"\n        yarahub_license = \"CC0 1.0\"\n        yarahub_rule_matching_tlp = \"TLP:WHITE\"\n        yarahub_rule_sharing_tlp = \"TLP:WHITE\"\n        malpedia_family = \"win.nevada\"\n\n    strings:\n        $rust1 = \"RustBacktraceMutex\"\n        $rust2 = \"RUST_BACKTRACE=full\"\n        $rust3 = \"/rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f\"\n\n        $nevada1 = \"nevada_locker\"\n        $nevada2 = \"nevadaServiceSYSTEM\"\n        $nevada3 = \"NEVADA.Failed to rename file\"\n\n        $ransom1 = \"ntuser.exe.ini.dll.url.lnk.scr\"\n        $ransom2 = \"drop of the panic payload panicked\"\n        $ransom3 = \"Shadow copies deleted from\"\n        $ransom4 = \"Failed to create ransom note\"\n\n        $s1 = \"R3JlZXRpbmdzISBZb3VyIGZpbGVzIHdlcmUgc3RvbGVuIGFuZCBlbmNyeXB0ZWQ\" //Greetings! Your files were stolen and encrypted\n        $s2 = \"C:\\\\Users\\\\user\\\\Desktop\\\\new\\\\nevada_locker\\\\target\\\\release\\\\deps\\\\nevada.pdb\"\n        \n    condition:\n        uint16be(0) == 0x4D5A\n        and 2 of ($rust*)\n        and 2 of ($ransom*)\n        and (1 of ($s*) or 1 of ($nevada*))\n }","sha256":"dbc3197c1c30e6db862964610dfc04f1edeb3808ee04f7a79245244c942febec","byte_size":1670,"updated_at":"2026-06-24 05:16:03"}]}