id: zrypt-malware

info:
  name: Zcrypt Malware - Detect
  author: daffainfo
  severity: info
  reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara
  tags: malware,file,zrypt

file:
  - extensions:
      - all

    matchers-condition: or
    matchers:
      - type: word
        part: raw
        words:
          - "How to Buy Bitcoins"
          - "ALL YOUR PERSONAL FILES ARE ENCRYPTED"
          - "Click Here to Show Bitcoin Address"
          - "MyEncrypter2.pdb"
        condition: or

      - type: word
        part: raw
        words:
          - ".p7b"
          - ".p7c"
          - ".pdd"
          - ".pef"
          - ".pem"
          - "How to decrypt files.html"
        condition: and