{"group":"revil","count":1,"rules":[{"rule_name":"revil.yar","rule_text":"/*\nREvil / Sodinokibi ransomware\n*/\n\nrule REvil_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.revil\"\n        description = \"Detects REvil / Sodinokibi ransom note\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $s1 = \"-readme.txt\" ascii nocase\n        $s2 = \"sodinokibi\" ascii nocase\n        $s3 = \"Your files are encrypted\" ascii nocase\n        $s4 = \"decryptor\" ascii nocase\n\n    condition:\n        2 of ($s1, $s2) or ($s3 and $s4)\n}\n\nrule REvil_PE_Config\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.revil\"\n        description = \"Detects REvil embedded JSON config keys\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $c1 = \"\\\"pk\\\":\" ascii\n        $c2 = \"\\\"pid\\\":\" ascii\n        $c3 = \"\\\"sub\\\":\" ascii\n        $c4 = \"\\\"dbg\\\":\" ascii\n        $c5 = \"\\\"wipe\\\":\" ascii\n\n    condition:\n        uint16(0) == 0x5A4D and 4 of them\n}\n\nrule REvil_PE_Strings\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.revil\"\n        description = \"Detects REvil ransomware strings in PE\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $s1 = \"expand 32-byte k\" ascii\n        $s2 = \"SOFTWARE\\\\BlackLivesMatter\" ascii wide\n        $s3 = \"readme.txt\" ascii nocase\n        $s4 = \"sodinokibi\" ascii nocase\n\n    condition:\n        uint16(0) == 0x5A4D and 2 of them\n}","sha256":"172e4db6925eb7ab913e9c266a68a515e73c348c238c74c04cb022c1a7f161d9","byte_size":1469,"updated_at":"2026-06-24 05:16:05"}]}