{"group":"wannacry","count":1,"rules":[{"rule_name":"wannacry.yar","rule_text":"/*\nWannaCry / WannaCrypt ransomware\n*/\n\nrule WannaCry_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.wannacry\"\n        description = \"Detects WannaCry ransom note\"\n        date = \"2026-05-04\"\n        severity = 10\n        score = 100\n\n    strings:\n        $s1 = \"@Please_Read_Me@.txt\" ascii\n        $s2 = \"WanaCrypt0r\" ascii nocase\n        $s3 = \"Wana Decrypt0r\" ascii nocase\n        $s4 = \"@WanaDecryptor@\" ascii\n\n    condition:\n        any of them\n}\n\nrule WannaCry_PE\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.wannacry\"\n        description = \"Detects WannaCry ransomware executable\"\n        date = \"2026-05-04\"\n        severity = 10\n        score = 100\n\n    strings:\n        $s1 = \"WanaCrypt0r\" ascii wide\n        $s2 = \"WanaDecryptor\" ascii wide\n        $s3 = \"tasksche.exe\" ascii\n        $s4 = \"msg/m_english.wnry\" ascii\n        $s5 = \"MsWinZonesCacheCounterMutexA0\" ascii wide\n\n    condition:\n        uint16(0) == 0x5A4D and 2 of them\n}\n\nrule WannaCry_WNCRY_File\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.wannacry\"\n        description = \"Detects .WNCRY encrypted file header\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $magic = { 57 41 4E 41 43 52 59 00 }\n\n    condition:\n        $magic at 0\n}","sha256":"96cc77166f11a168f7a999b143547873d5cbe1ccb4c0e7810ffb0084be7504e9","byte_size":1353,"updated_at":"2026-06-24 05:16:06"}]}