Let’s imagine we are analyzing a new piece of ransomware. We notice that every infected file contains a specific "ransom note" header and a specific hexadecimal byte sequence.
Here is how we would write a YARA rule to detect it: Let’s imagine we are analyzing a new piece of ransomware
import "crypto"
rule Suspicious_Ransomware_Variant
meta:
author = "SecurityTeam"
description = "Detects specific ransom note and binary marker"
date = "2023-10-27"
strings:
// A text string found in the ransom note
$note_text = "YOUR FILES ARE ENCRYPTED" wide ascii
// A hex string representing a specific file header or code instruction
$hex_pattern = 4D 5A 90 00 03 00 00 00
// A regular expression looking for a file extension pattern
$extension = /\.locked$/ nocase
condition:
// The file must have the ransom note text
// AND either the hex pattern OR the file extension
$note_text and ($hex_pattern or $extension)
✅ Beautiful nature-inspired meanings across cultures.
✅ Positive associations: freedom (butterfly), mystery (water goddess), resilience. ✅ Beautiful nature-inspired meanings across cultures
This section contains the Boolean logic. It tells YARA when to alert. For example, you might say: "Alert only if you find String A AND String B," or "Alert if you find String A OR String C." mystery (water goddess)
| ✅ Pros | ❌ Cons | |---------|---------| | Easy to spell (4 letters) | Some may mishear “Sara” or “Zara” | | Works in many languages | Very different pronunciations (YAH-ra vs. YA-ra) | | Feminine without frills | Can be seen as “trendy” rather than timeless | | Nature + mythology roots | No obvious nicknames (if you like nicknames) |