{"group":"ragnarlocker","count":1,"rules":[{"rule_name":"ragnarlocker.yar","rule_text":"import \"pe\"\n\nrule ragnarlocker_ransomware {\n\n   meta:\n   \n      description = \"Rule to detect RagnarLocker samples\"\n      author = \"McAfee ATR Team\"\n      date = \"2020-04-15\"\n      rule_version = \"v1\"\n      malware_type = \"ransomware\"\n      malware_family = \"Ransom:W32/RagnarLocker\"\n      actor_type = \"Cybercrime\"\n      actor_group = \"Unknown\"\n      reference = \"https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/\"\n      hash = \"9706a97ffa43a0258571def8912dc2b8bf1ee207676052ad1b9c16ca9953fc2c\"\n      \n   strings:\n   \n      //---RAGNAR SECRET---\n      $s1 = {2D 2D 2D 52 41 47 4E 41 52 20 53 45 43 52 45 54 2D 2D 2D}\n      $s2 = { 66 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? B8 ?? ?? ?? ?? 0F 44 }\n      $s3 = { 5? 8B ?? 5? 5? 8B ?? ?? 8B ?? 85 ?? 0F 84 }\n      $s4 = { FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 }\n      $s5 = { 8D ?? ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }\n      \n      $op1 = { 0f 11 85 70 ff ff ff 8b b5 74 ff ff ff 0f 10 41 }\n      \n      $p0 = { 72 eb fe ff 55 8b ec 81 ec 00 01 00 00 53 56 57 }\n      $p1 = { 60 be 00 00 41 00 8d be 00 10 ff ff 57 eb 0b 90 }\n      \n      $bp0 = { e8 b7 d2 ff ff ff b6 84 }\n      $bp1 = { c7 85 7c ff ff ff 24 d2 00 00 8b 8d 7c ff ff ff }\n      $bp2 = { 8d 85 7c ff ff ff 89 85 64 ff ff ff 8d 4d 84 89 }\n      \n   condition:\n   \n     uint16(0) == 0x5a4d and \n     filesize < 100KB and \n     (4 of ($s*) and $op1) or\n     all of ($p*) and\n     pe.imphash() == \"9f611945f0fe0109fe728f39aad47024\" or\n     all of ($bp*) and\n     pe.imphash() == \"489a2424d7a14a26bfcfb006de3cd226\" \n}","sha256":"cdf7284104b46098327f9da7d9b3b0885f784b08b84a2b5101613aa55fe18bbc","byte_size":1593,"updated_at":"2026-06-24 05:16:04"}]}