From 8d3b48a4e89b4dbe49780958943650ff9fd9027c Mon Sep 17 00:00:00 2001
From: Sidahmed <sb.malaoui@gmail.com>
Date: Sat, 17 Jul 2021 09:21:14 +0100
Subject: [PATCH] Add Ryuk ransomware detection & Update index

---
 malware/RANSOM_Ryuk.yar | 14 ++++++++++++++
 malware_index.yar       |  1 +
 2 files changed, 15 insertions(+)
 create mode 100644 malware/RANSOM_Ryuk.yar

diff --git a/malware/RANSOM_Ryuk.yar b/malware/RANSOM_Ryuk.yar
new file mode 100644
index 00000000..3e34aaf3
--- /dev/null
+++ b/malware/RANSOM_Ryuk.yar
@@ -0,0 +1,14 @@
+import "pe"
+
+rule ryuk_malware
+{
+
+    meta:
+        description = "RYUUK Malware detector"
+
+    strings:
+        $readme = "RyukReadMe.html" wide ascii
+
+    condition:
+        (pe.is_pe or pe.is_dll()) and filesize < 400KB and $readme
+}
diff --git a/malware_index.yar b/malware_index.yar
index e45712ad..79a4b453 100644
--- a/malware_index.yar
+++ b/malware_index.yar
@@ -340,6 +340,7 @@ include "./malware/RANSOM_PetrWrap.yar"
 include "./malware/RANSOM_Petya.yar"
 include "./malware/RANSOM_Petya_MS17_010.yar"
 include "./malware/RANSOM_Pico.yar"
+include "./malware/RANSOM_Ryuk.yar"
 include "./malware/RANSOM_SamSam.yar"
 include "./malware/RANSOM_Satana.yar"
 include "./malware/RANSOM_Shiva.yar"