Concrete signature match: Ransomware - Encrypts files and demands payment for 32-bit Windows platform, family LockFile
This is a concrete detection for LockFile.ALK ransomware, a variant that encrypts files and steals data, demanding a ransom payment. The detection is highly accurate, leveraging specific binary signatures and recognizable ransom note text indicating both data exfiltration and encryption.
No specific strings found for this threat
rule Ransom_Win32_LockFile_ALK_2147946752_0
{
meta:
author = "threatcheck.sh"
detection_name = "Ransom:Win32/LockFile.ALK!MTB"
threat_id = "2147946752"
type = "Ransom"
platform = "Win32: Windows 32-bit platform"
family = "LockFile"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "6"
strings_accuracy = "High"
strings:
$x_3_1 = {0f bd f7 0f bd d1 83 f6 1f 83 f2 1f 83 ce 20 80 7c 24 10 00 0f 44 d6 0f bd f3 0f bd c8 83 f6 1f 83 f1 1f 83 ce 20 85 c0 0f 45 f1 83 ce 40 0b 7c 24 08 0f 45 f2 6a 7b 5f 29 f7} //weight: 3, accuracy: High
$x_2_2 = "Your infrastructure DeadLocked" ascii //weight: 2
$x_1_3 = "All Files stolen and encrypted" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}3cd5703d285ed2753434f14f8da933010ecfdc1e5009d0e438188aaf85501612Immediately isolate the infected system from the network to prevent further spread. Fully remove the LockFile.ALK ransomware using a reputable security solution, and restore encrypted or stolen files from secure, offline backups. Do not pay the ransom. Implement strong endpoint protection, user awareness training, and ensure regular backups to prevent future infections.