Sponsored by Hudson Rock – Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are leading to ransomware attacks
Windows_Ransomware_Hellokitty_8859e8e8.yarrule Windows_Ransomware_Hellokitty_8859e8e8
{
meta:
author = "Elastic Security"
id = "8859e8e8-f94c-4853-b296-1fc801486c57"
fingerprint = "f9791409d2a058dd68dc09df5e4b597c6c6a1f0da9801d7ab9e678577b621730"
creation_date = "2021-05-03"
last_modified = "2021-08-23"
threat_name = "Windows.Ransomware.Hellokitty"
reference_sample = "3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9"
severity = 100
arch_context = "x86, arm64"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a1 = "HelloKittyMutex" wide fullword
$a2 = "%s\\read_me_lkd.txt" wide fullword
$a3 = "Win32_ShadowCopy.ID='%s'" wide fullword
$a4 = "Trying to decrypt or modify the files with programs other than our decryptor can lead to permanent loss of data!" wide fullword
$a5 = "%s/secret/%S" wide fullword
$a6 = "DECRYPT_NOTE.txt" wide fullword
$a7 = "Some data has been stored in our servers and ready for publish." wide fullword
$a9 = "To contact with us you have ONE week from the encryption time, after decryption keys and your personal contact link will be dele" wide
$a10 = "In case of your disregard, we reserve the right to dispose of the dumped data at our discretion including publishing." wide fullword
$a11 = "IMPORTANT: Don't modify encrypted files or you can damage them and decryption will be impossible!" wide fullword
$b1 = "/f /im \"%s\"" wide fullword
$b2 = "stop \"%s\"" wide fullword
$b3 = "/f /im %s" wide fullword
$b4 = "stop %s" wide fullword
condition:
(2 of ( $a* ) and 2 of ( $b* ) ) or ( 5 of ( $a* ) )
}