Ekans Ruleset
josheyr opened this issue · comments
Josh commented
Why is it a good idea to flag occurrences of fairly generic-looking messages in strings as ransomware?
https://github.com/bartblaze/Yara-rules/blob/master/rules/ransomware/Ekans.yar
Surely there's a better way to detect ransomware that isn't susceptible to falsely flagging random people...
Bart P commented
Which strings specifically are you referring to?
Josh commented
$ = "priority files: %v" ascii wide
$ = "could not send control=%d: %v" ascii wide
$ = "could not retrieve service status: %v" ascii wide
$ = "could not access service: %v" ascii wide
$ = "cant kill process %v : %v" ascii wide
$ = "There can be only one" ascii wide
$ = "pub: %v" ascii wide
$ = "priorityFiles: %v" ascii wide
$ = "worker %s started job %s" ascii wide