Fix ransomware message and add new mass note placement sig

[kevross33]

Fix sig so it works correctly when using NTWriteFile instead of appearing in dropped files (we return True immediately on one hit to avoid marking them all).

Then add a new signatures for mass copying/writing the same likely ransomware message across multiple directories. It will mark the first 5 calls but display the count to avoid it returning potentially hundreds or even thousands of marked calls.

BASTA

LOCKBIT

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the system's ability to detect ransomware activity. It refines an existing signature to catch a broader range of ransomware messages and introduces a new signature specifically designed to identify the widespread deployment of ransom notes across a file system, providing more comprehensive coverage against common ransomware behaviors.

Highlights

• Enhanced Ransomware Message Detection: The existing RansomwareMessage signature has been significantly improved by expanding its list of detection indicators and refining its logic to handle NtWriteFile and WriteFile calls more effectively, including robust buffer parsing and early return on detection.
• New Mass Ransom Note Drop Signature: A new signature, MassRansomNoteDrop, has been introduced to identify ransomware that writes or copies the same ransom note across multiple directories, with logic to limit the number of marked calls to prevent excessive alerts while still tracking the overall impact.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• modules/signatures/windows/ransomware_message.py
  • Included WriteFile in the filter_apinames for broader API coverage.
  • Expanded the indicators list with numerous new ransomware-related keywords for improved detection.
  • Refactored on_call and on_complete methods to correctly handle buffer data types (bytes, bytearray, string) and to return True immediately upon a match in on_call to prevent redundant marking.
  • Added MassRansomNoteDrop class: This new signature detects when the same ransom note filename is written or copied to multiple directories. It tracks notes per process ID and limits the marking of calls to the first five instances while recording the total count of affected directories.

Activity

• No specific activity or review comments were provided in the context. The author's comment "BASTA" suggests completion from their perspective.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request improves the RansomwareMessage signature by expanding the list of indicators and refining its logic. It also introduces a new signature, MassRansomNoteDrop, to detect the mass creation of ransom notes across multiple directories, which is a great addition. The changes in RansomwareMessage correctly switch to string-based matching and cover more API calls. However, there is a potential issue in the on_call method where a detected ransom note write could lead to duplicate findings from the on_complete method. My review includes a suggestion to fix this potential duplication.

[gemini-code-assist]

The current implementation in on_call marks the API call but doesn't set self.ret = True. This means on_complete will still execute its logic. If a file is written via a hooked API call like NtWriteFile, it will likely also appear in the dropped files list. This can cause the same ransom note to be reported twice: once as a marked call from on_call, and again from on_complete. To prevent this duplication, you should set self.ret = True when a match is found in on_call. This will signal that the signature has already triggered and on_complete should not perform its check.

Suggested change

	if len(matches) > 1:
	self.mark_call()
	self.ret = True
	return True
	if len(matches) > 1:
	self.mark_call()
	self.ret = True
	return True