Ekans Ruleset

Question

Ekans Ruleset

josheyr opened this issue 5 months ago · comments

Josh commented 5 months ago

Why is it a good idea to flag occurrences of fairly generic-looking messages in strings as ransomware?

https://github.com/bartblaze/Yara-rules/blob/master/rules/ransomware/Ekans.yar

Surely there's a better way to detect ransomware that isn't susceptible to falsely flagging random people...

Bart P · Answer 1 · Sat Dec 23 2023 18:35:48 GMT+0800 (China Standard Time)

Which strings specifically are you referring to?

Josh · Answer 2 · Sun Dec 24 2023 02:58:35 GMT+0800 (China Standard Time)

    $ = "priority files: %v" ascii wide
    $ = "could not send control=%d: %v" ascii wide
    $ = "could not retrieve service status: %v" ascii wide
    $ = "could not access service: %v" ascii wide
    $ = "cant kill process %v : %v" ascii wide
    $ = "There can be only one" ascii wide
    $ = "pub: %v" ascii wide
    $ = "priorityFiles: %v" ascii wide
    $ = "worker %s started job %s" ascii wide

Bart P · Answer 3 · Sun Dec 24 2023 20:35:04 GMT+0800 (China Standard Time)

Fair enough, the rule is pretty old in itself anyway. Updated in 3c7e696. Thanks for the notice.