{"group":"ransomexx","count":1,"rules":[{"rule_name":"ransomexx.yar","rule_text":"/*\nRansomEXX / Defray777 ransomware\n*/\n\nrule RansomEXX_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.ransomexx\"\n        description = \"Detects RansomEXX ransom note\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $s1 = \"RansomEXX\" ascii nocase\n        $s2 = \"RANSOM_NOTE.txt\" ascii nocase\n        $s3 = \".ransom\" ascii nocase\n        $s4 = \"Defray777\" ascii nocase\n\n    condition:\n        any of them\n}\n\nrule RansomEXX_PE\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.ransomexx\"\n        description = \"Detects RansomEXX ransomware executable\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $s1 = \"RansomEXX\" ascii wide\n        $s2 = \"Defray777\" ascii nocase\n        $s3 = \"/proc/sys/vm/drop_caches\" ascii\n\n    condition:\n        (uint16(0) == 0x5A4D or uint32(0) == 0x464C457F) and 2 of them\n}","sha256":"fab967813861d65693387187837ab803b954dee8f85b87041ad654d7570ada87","byte_size":950,"updated_at":"2026-06-24 05:16:04"}]}