{"group":"yanluowang","count":1,"rules":[{"rule_name":"yanluowang.yar","rule_text":"/*\nYanluowang ransomware\n*/\n\nrule Yanluowang_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.yanluowang\"\n        description = \"Detects Yanluowang ransomware ransom note\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $s1 = \"yanluowang\" ascii nocase\n        $s2 = \".yanluowang\" ascii\n        $s3 = \"yanluowang_decryptor\" ascii nocase\n\n    condition:\n        any of them\n}\n\nrule Yanluowang_PE\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.yanluowang\"\n        description = \"Detects Yanluowang ransomware executable\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $s1 = \"yanluowang\" ascii wide nocase\n        $s2 = \".yanluowang\" ascii\n        $s3 = \"!IMPORTANT.txt\" ascii\n\n    condition:\n        uint16(0) == 0x5A4D and 2 of them\n}","sha256":"08693ca3446f0ff132a2ba32b8e0cf042e42ce2b95f4d0bbc832e50862d30ca3","byte_size":884,"updated_at":"2026-06-24 05:16:06"}]}