Below are HDB signatures for ransomware associated files from the FINM7 malware group.

Copy the signature(s) to a new Notepad or similar text writer file, and save it in the ClamWin database folder as a file named Sigfile.hdb with a file type of “All Files”. Do not save it as a text file. The file name should be Sigfile.hdb and nothing else.

For multiple signatures, put each signature on a separate line in a Notepad file. You can add multiple signatures to the top of an existing HDB signature file. Copy the signatures, add one blank line to the top of the file and paste the signatures there—any additional lines needed will be added. Do not add to the bottom of an existing signature file or you will likely get a ClamWin scanning error. Delete any blank lines between signatures in the file before saving.

After you save the signature file in the ClamWin database folder, scan something with ClamWin to make sure the signature(s) work. If you get a scan error, accept my apology, and delete the signature file from the database folder or delete only the signatures that you just posted to an existing HDB file and re-save it after removing any blank lines in the signature file.

After 4 weeks, the malware will probably be updated, so you can delete the signatures then. The date (USA) and time (24 hr) are the last two items in the signature.

5a6bbcc1e44d3a612222df5238f5e7a8:7972:Powershell.Trojan.Agent-040422.1529
0291df4f7303775225c4044c8f054360:9945:Powershell.Trojan.Agent-040422.1531
3803c82c1b2e28e3e6cca3ca73e6cce7:10193:Powershell.Trojan.Agent-040422.1533
d1d8902b499b5938404f8cece2918d3d:11114:Powershell.Trojan.Agent-040422.1534
833ae560a2347d5daf05d1f670a40c54:11325:Powershell.Trojan.Agent-040422.1536
edb1f62230123abf88231fc1a7190b60:11426:Powershell.Trojan.Agent-040422.1539
bce9b919fa97e2429d14f255acfb18b4:12370:Powershell.Trojan.Agent-040422.1541
b637d33dbb951e7ad7fa198cbc9f78bc:13440:Powershell.Trojan.Agent-040422.1543
2cbb015d4c579e464d157faa16994f86:13178:Powershell.Trojan.Agent-040422.1546

Regards,