Concrete signature match: Ransomware - Encrypts files and demands payment for 64-bit Windows platform, family LockZ
This is a concrete detection of LockZ ransomware, a Win64 variant that encrypts files and demands a ransom. It utilizes hidden PowerShell execution to bypass policies, potentially deletes shadow copies or backups using `del /q /f`, and employs an encryption script (`dirEncryption.ps1`) to carry out its malicious payload, presenting a ransom note to the victim.
Relevant strings associated with this threat: - powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass (PEHSTR_EXT) - infected by **LockZ** (PEHSTR_EXT) - del /q /f (PEHSTR_EXT) - dirEncryption.ps1 (PEHSTR_EXT)
rule Ransom_Win64_LockZ_YAF_2147944780_0
{
meta:
author = "threatcheck.sh"
detection_name = "Ransom:Win64/LockZ.YAF!MTB"
threat_id = "2147944780"
type = "Ransom"
platform = "Win64: Windows 64-bit platform"
family = "LockZ"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "6"
strings_accuracy = "High"
strings:
$x_1_1 = "get your files back" ascii //weight: 1
$x_1_2 = "unlock files yourself" ascii //weight: 1
$x_1_3 = "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass" ascii //weight: 1
$x_1_4 = "infected by **LockZ**" ascii //weight: 1
$x_1_5 = "del /q /f" ascii //weight: 1
$x_1_6 = "dirEncryption.ps1" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}66f3e8beaec789687b86306e6ed7da19d810cc30aff673bfd15f5da0edb8f068Immediately isolate the infected system from the network to prevent further spread. Perform a full system scan with updated antivirus software to ensure complete removal of the ransomware and any associated files. Restore critical data from secure, clean backups, and do not pay the ransom. Enhance endpoint security, review access controls, and ensure all systems are patched to prevent future infections.