https://www.shadowstackre.com/ – Committed to delivering high quality malware intelligence and services to the cybersecurity community.
Open this link : https://github.com/ShadowStackRe/intel/tree/master/rules/yara
Example :
YARA to detect Cactus Ransomwarestrings:
$strReadMe = "cAcTuS.readme.txt" wide
$strLockExt = ".cts" wide
$strTskName = "Updates Check Task" wide
$strTskName2 = "Google Service Update"
$strNTUSer = "ntuser.dat" wide
$strNTUSer2 = "ntuser.log" wide
$strBuilderName = "cactusbuilder"
condition:
uint16(0) == 0x5A4D and ($strReadMe and $strLockExt) and
(1 of ($strTskName)) and (1 of ($strNTUSer)) or ($strBuilderName)