conti.yara

rule conti_phrases : critical {
  meta:
    description = "Ransomware phrases used by Conti"
    hash_2023_Conti_bb64 = "bb64b27bff106d30a7b74b3589cc081c345a2b485a831d7e8c8837af3f238e1e"
    hash_2023_Multios_Ransomware_DarkSide_da3b = "da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5"
    hash_2023_Downloads_8b57 = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201"
	ref = "https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks"
  strings:
    $a = "All of your files are currently"
    $b = "currently encrypted by"
    $c = "If you don't know who we are"
    $d = "It cannot be recovered"
    $e = "recovered by any means"
    $f = "without contacting our team"
    $g = "DON'T TRY TO RECOVER"
    $g2 = "your data by yourselves"
    $g3 = "attempt to recover your"
    $g4 = "additional recovery software"
    $h = "choosing the data of the lowtest"
    $i = "we recommend choosing"
    $j = "better for both sides"
    $k = "contact us as soon as possible"
    $l = "DON'T TRY TO IGNORE"
    $m = "DON'T TRY TO CONTACT"
    $n = "any recovery companies"
    $o = "your internal data"
    $p = "ready to publi"
    $q = "on our news website"
    $r = "you do not respond"
    $s = "our informants in"
    $t = "a hostile intent"
    $u = "initiate the publication"
    $v = "compromised data"
    $w = "get your data back"
    $x = "we offer you to"
    $y = "random files completely"
    $z = "free of charge"
    $aa = "for further instructions"
    $ac = "install TOR browser"
    $ad = "torproject.org"
    $ae = "YOU SHOULD BE AWARE"
    $af = "We will speak only"
    $ag = "an authorized person"
    $ah = "CEO, top management"
    $ai = "you are not such a person"
    $aj = "DON'T CONTACT US"
    $ak = "serious harm to"
    $al = "Inform your supervisors"
    $am = "and stay calm"
    $conti = "CONTI" fullword
  condition:
    filesize < 1MB and (($conti and 2 of them) or (4 of them))
}