Antivirus Ransomware Detection

Detects a highly relevant Antivirus alert that reports ransomware.

Sigma rule (View on GitHub)

 1title: Antivirus Ransomware Detection
 2id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
 3status: test
 4description: Detects a highly relevant Antivirus alert that reports ransomware.
 5references:
 6    - https://www.nextron-systems.com/?s=antivirus
 7    - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
 8    - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
 9    - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
10    - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
11    - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
12author: Florian Roth (Nextron Systems), Arnim Rupp
13date: 2022-05-12
14modified: 2023-02-03
15tags:
16    - attack.t1486
17logsource:
18    category: antivirus
19detection:
20    selection:
21        Signature|contains:
22            - 'BlackWorm'
23            - 'Crypter'
24            - 'CRYPTES'
25            - 'Cryptor'
26            - 'Destructor'
27            - 'Filecoder'
28            - 'GandCrab'
29            - 'GrandCrab'
30            - 'Krypt'
31            - 'Locker'
32            - 'Phobos'
33            - 'Ransom'
34            - 'Ryuk'
35            - 'Ryzerlo'
36            - 'Tescrypt'
37            - 'TeslaCrypt'
38    condition: selection
39falsepositives:
40    - Unlikely
41level: critical

References

Related rules

to-top