Yara

In May 2024, a group of about 300 small and medium sized banks in India fell prey to a cyber attack. Customers were unable to withdraw money from ATMs and UPI transactions started failing. Most of these banks were in tier-2 cities and other rural locations.

The attack was orchestrated by the RansomExx group who some say operate out of Russia. The name comes from the string "ransom.exx" that is present in it's binary. That string might be encoded and not very easy to detect, but there are other strings, and byte sequences, that can be used to detect this specific malware.

YARA is a tool used to create custom rules for identifying and classifying malware based on patterns in files, processes, or network traffic. The rule below is to identify the ransomexx malware.

rule RansomEXX_Detection
{
    meta:
        description = "Detects RansomEXX ransomware based on known patterns"
        author = "Cybersecurity Team"
        date = "2024-12-07"
        malware_family = "RansomEXX"
        malware_type = "Ransomware"
        severity = "high"

    strings:
        // Known byte patterns associated with RansomEXX malware
        $byte1 = { 23 69 9D 5B 0F A9 83 1D 3A 90 87 58 9E 56 02 }
        $byte2 = { 8E 5F 94 C9 16 A1 7E 34 A0 23 5F 5A 6E 9C }
        $file_ext = ".ransomexx" nocase ascii
        $note1 = "Study this message REGARDFULLY" ascii fullword
        $note2 = "Your files are encrypted by RansomEXX" ascii fullword
        $ransom_string = "pay the ransom in Bitcoin" ascii fullword

    condition:
        // The rule will trigger if at least one of the byte patterns or strings is found
        (any of ($byte1, $byte2) or
         any of ($note1, $note2, $ransom_string) or
         $file_ext)
}

You can see bits of messages that the unfortunate victim will see on his computer. Run the yara binary on your computer providing it this rule, and the directory to scan and it will immediately tell you if your computer is infected with this malware (where it is lying dormant waiting for an opportune time).

There is a vast number of databases of YARA rules that has been created by the community, for a lot of the malware that we know of. In fact, you can create a simple antivirus program, all by yourself, using a simple python program that imports all these rules to detect malicious activity. It won't be very efficient, but it's a good exercise to get started with the concepts.

Scanning all files using YARA can be resource intensive; the trick is scanning the files using the YARA rules following certain events - for example, a new process loaded into memory...or a new file was created....and so on.

Want to know more about how this attack actually happened? See the video below: