Coming soon - Get a detailed view of why an account is flagged as spam!
view details

This post has been de-listed

It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.

6
Ransomware with known Registry Persistence
Post Flair (click to view more posts with a particular flair)
Other
Post Body

Hi all,

I was wondering if you guys knew known Ransomware that could be triggered by these Yara rules below. They are common patterns, but I noticed just Wannacry and Ryuk had triggered them.
As many ransomware names as possible if you can!
If you know any malware that can, for instance, set registry value under CurrentVersion/Run, please let me know because it'll be really appreciated

I did managed to get many ransomware from https://samples.vx-underground.org/samples/Families/ , which is great for me, but I want more ransomware names (in addition to Wannacry and Ryuk).

These strings are the Yara rules

        $s1 = "CurrentVersion\\\\Run" ascii wide nocase
    $s2 = "CurrentVersion\\\\RunOnce" ascii wide nocase
    $s3 = "SYSTEM\\\\ControlSet001\\Control" ascii wide nocase
    $s4 = "Explorer\\\\User Shell Folders" ascii wide nocase
    $s5 = "Explorer\\\\Shell Folders" ascii wide nocase
    $s6 = "SYSTEM\\\\ControlSet001\\\\Enum\\\\Root" ascii wide nocase
    $s7 = "CurrentVersion\\\\Extensions" ascii wide nocase
    $s8 = "Explorer\\\\User Shell Folders" ascii wide nocase
    $s9 = "Explorer\\\\ShellFolders" ascii wide nocase
    $s10 = "CurrentVersion\\\\Winlogon" ascii wide nocase
    $s11 = "CurrentVersion\\\\Policies\\\\Explorer\\\\Run" ascii wide nocase
    $s12 = "CurrentVersion\\\\IniFileMapping\\\\system.ini\\\\boot" ascii wide nocase
        $s13 = "CurrentControlSet\\services" ascii wide nocase
        $s14 = "CurrentVersion\\RunServicesOnce" ascii wide nocase
        $s15 = "CurrentVersion\\RunServices" ascii wide nocase
        $s16 = "CurrentVersion\\Windows\\AppInit_DLLs" ascii wide nocase 
        $s17 = "Control\\Session Manager" ascii wide nocase 
        $s18 = "CurrentControlSet\\Control\\SecurityProviders" ascii wide nocase                 
    $s19 = "CurrentVersion\\RunOnceEx" ascii wide nocase 
        $s20 = "CurrentVersion\\Terminal" ascii wide nocase
        $s21 = "Microsoft\\Active Setup\\Installed Components" ascii wide nocase                 
    $s22 = "Scripts\\Startup" ascii wide nocase 
        $s23 = "Scripts\\Logon" ascii wide nocase 
        $s24 = "Scripts\\Logoff" ascii wide nocase 
        $s25 = "CurrentVersion\\Windows\\Load" ascii wide nocase 
        $s26 = "Policies\\Explorer\\Run" ascii wide nocase 
        $s27 = "Control\\hivelist" ascii wide nocase
        $s28 = "CurrentVersion\\Explorer" ascii wide nocase

Author
Account Strength
60%
Account Age
3 years
Verified Email
Yes
Verified Flair
No
Total Karma
24
Link Karma
23
Comment Karma
1
Profile updated: 4 days ago
Otherwise_Virus_722

Subreddit

r/AskNetsec

Post Details

We try to extract some basic information from the post title. This is not always successful or accurate, please use your best judgement and compare these values to the post title and body for confirmation.
Posted
1 year ago
Reddit URL
View post on reddit.com
External URL
reddit.com/r/AskNetsec/c...