Sponsored by Hudson Rock – Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are leading to ransomware attacks
wannacry.yar/*
WannaCry / WannaCrypt ransomware
*/
rule WannaCry_Ransomnote
{
meta:
author = "ransomware.live"
family = "ransomware.wannacry"
description = "Detects WannaCry ransom note"
date = "2026-05-04"
severity = 10
score = 100
strings:
$s1 = "@Please_Read_Me@.txt" ascii
$s2 = "WanaCrypt0r" ascii nocase
$s3 = "Wana Decrypt0r" ascii nocase
$s4 = "@WanaDecryptor@" ascii
condition:
any of them
}
rule WannaCry_PE
{
meta:
author = "ransomware.live"
family = "ransomware.wannacry"
description = "Detects WannaCry ransomware executable"
date = "2026-05-04"
severity = 10
score = 100
strings:
$s1 = "WanaCrypt0r" ascii wide
$s2 = "WanaDecryptor" ascii wide
$s3 = "tasksche.exe" ascii
$s4 = "msg/m_english.wnry" ascii
$s5 = "MsWinZonesCacheCounterMutexA0" ascii wide
condition:
uint16(0) == 0x5A4D and 2 of them
}
rule WannaCry_WNCRY_File
{
meta:
author = "ransomware.live"
family = "ransomware.wannacry"
description = "Detects .WNCRY encrypted file header"
date = "2026-05-04"
severity = 7
score = 70
strings:
$magic = { 57 41 4E 41 43 52 59 00 }
condition:
$magic at 0
}