Yara Rules for Ransomware group cactus
rule CactusRule
{
strings:
$cactusStr = “CaCtUs.ReAdMe.txt”
$cactusHex = { 43 61 43 74 55 73 2e 52 65 41 64 4d 65 2e 74 78 74 }
condition:
$cactusStr or $cactusHex
}
rule CactusRansomware {
meta:
description = "rule to detect Cactus Ransomware"
author = "ShadowStackRe.com"
date = "2024-01-18"
Rule_Version = "v1"
malware_type = "ransomware"
malware_family = "Cactus"
License = "MIT License, https://opensource.org/license/mit/"
Hash = "9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a,c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a"
strings:
$strReadMe = "cAcTuS.readme.txt" wide
$strLockExt = ".cts" wide
$strTskName = "Updates Check Task" wide
$strTskName2 = "Google Service Update"
$strNTUSer = "ntuser.dat" wide
$strNTUSer2 = "ntuser.log" wide
$strBuilderName = "cactusbuilder"
condition:
uint16(0) == 0x5A4D and ($strReadMe and $strLockExt) and (1 of ($strTskName*)) and (1 of ($strNTUSer*)) or ($strBuilderName)
}