Yara Rules for Ransomware group  ragnarlocker

import "pe"

rule ragnarlocker_ransomware {

   meta:
   
      description = "Rule to detect RagnarLocker samples"
      author = "McAfee ATR Team"
      date = "2020-04-15"
      rule_version = "v1"
      malware_type = "ransomware"
      malware_family = "Ransom:W32/RagnarLocker"
      actor_type = "Cybercrime"
      actor_group = "Unknown"
      reference = "https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/"
      hash = "9706a97ffa43a0258571def8912dc2b8bf1ee207676052ad1b9c16ca9953fc2c"
      
   strings:
   
      //---RAGNAR SECRET---
      $s1 = {2D 2D 2D 52 41 47 4E 41 52 20 53 45 43 52 45 54 2D 2D 2D}
      $s2 = { 66 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? B8 ?? ?? ?? ?? 0F 44 }
      $s3 = { 5? 8B ?? 5? 5? 8B ?? ?? 8B ?? 85 ?? 0F 84 }
      $s4 = { FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 }
      $s5 = { 8D ?? ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
      
      $op1 = { 0f 11 85 70 ff ff ff 8b b5 74 ff ff ff 0f 10 41 }
      
      $p0 = { 72 eb fe ff 55 8b ec 81 ec 00 01 00 00 53 56 57 }
      $p1 = { 60 be 00 00 41 00 8d be 00 10 ff ff 57 eb 0b 90 }
      
      $bp0 = { e8 b7 d2 ff ff ff b6 84 }
      $bp1 = { c7 85 7c ff ff ff 24 d2 00 00 8b 8d 7c ff ff ff }
      $bp2 = { 8d 85 7c ff ff ff 89 85 64 ff ff ff 8d 4d 84 89 }
      
   condition:
   
     uint16(0) == 0x5a4d and 
     filesize < 100KB and 
     (4 of ($s*) and $op1) or
     all of ($p*) and
     pe.imphash() == "9f611945f0fe0109fe728f39aad47024" or
     all of ($bp*) and
     pe.imphash() == "489a2424d7a14a26bfcfb006de3cd226" 
}