Antivirus Ransomware Detection
Detects a highly relevant Antivirus alert that reports ransomware.
Sigma rule (View on GitHub)
1title: Antivirus Ransomware Detection
2id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
3status: test
4description: Detects a highly relevant Antivirus alert that reports ransomware.
5references:
6 - https://www.nextron-systems.com/?s=antivirus
7 - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
8 - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
9 - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
10 - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
11 - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
12author: Florian Roth (Nextron Systems), Arnim Rupp
13date: 2022-05-12
14modified: 2023-02-03
15tags:
16 - attack.t1486
17logsource:
18 category: antivirus
19detection:
20 selection:
21 Signature|contains:
22 - 'BlackWorm'
23 - 'Crypter'
24 - 'CRYPTES'
25 - 'Cryptor'
26 - 'Destructor'
27 - 'Filecoder'
28 - 'GandCrab'
29 - 'GrandCrab'
30 - 'Krypt'
31 - 'Locker'
32 - 'Phobos'
33 - 'Ransom'
34 - 'Ryuk'
35 - 'Ryzerlo'
36 - 'Tescrypt'
37 - 'TeslaCrypt'
38 condition: selection
39falsepositives:
40 - Unlikely
41level: critical
References
Related rules
- AWS EC2 Disable EBS Encryption
- BlueSky Ransomware Artefacts
- LockerGoga Ransomware Activity
- Microsoft 365 - Potential Ransomware Activity
- Potential Conti Ransomware Activity