Ransomware Test 2

Hunt Hypothesis

Adversaries may be testing ransomware capabilities by encrypting non-critical files to assess impact and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential ransomware campaigns early and mitigate data loss.

YARA Rule

rule Ransomware : banker android
{
	meta:
		author = "Fernando Denis https://twitter.com/fdrg21"
		reference = "https://koodous.com/"
		description = "Ransomware Test 2"
		thread_level = 3
		in_the_wild = true

	strings:

		$strings_a = "!2,.B99^GGD&R-"
		$strings_b = "22922222222222222222Q^SAAWA"
		$strings_c = "t2222222222229222Q^SAAWA"

	

	condition:
		any of ($strings_*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled Backup Job Execution
  Description: A legitimate scheduled backup job (e.g., Veeam, Acronis, or Windows Backup) is running and encrypting files as part of a test or maintenance task.
  Filter/Exclusion: Check for process.parent_process containing backup tool names or task scheduler tasks with known backup job names.

• Scenario: Admin Performing File Encryption for Testing
  Description: A system administrator is manually encrypting files using a tool like openssl or GPG to test encryption processes or compliance procedures.
  Filter/Exclusion: Filter by process.user to exclude admin accounts or check for process.command_line containing known encryption tool names.

• Scenario: Antivirus Quarantine Process
  Description: An antivirus tool (e.g., Bitdefender, Kaspersky) is quarantining files, which may involve encrypting or renaming files as part of its cleanup process.
  Filter/Exclusion: Check for process.name containing antivirus tool names or process.parent_process related to the antivirus service.

• Scenario: System File Encryption for Security Compliance
  Description: A security policy requires encryption of sensitive system files using tools like BitLocker or Veracrypt as part of a compliance or security audit.
  Filter/Exclusion: Filter by process.name for BitLocker or Veracrypt, or check for file.path matching known system or compliance file locations.

• Scenario: User-Initiated File Encryption for Personal Use
  Description: A user is encrypting personal files using a personal encryption tool (e.g., 7-Zip with AES encryption) for privacy or storage purposes.
  Filter/Exclusion: Check for process.user matching non-admin users or process.command_line containing personal encryption tool names