diff --git a/rules/impact/ransom/linux.yara b/rules/impact/ransom/linux.yara
new file mode 100644
index 000000000..cd8e41e87
--- /dev/null
+++ b/rules/impact/ransom/linux.yara
@@ -0,0 +1,82 @@
+rule encrypter: high {
+  meta:
+    description = "probable Linux ransomware encrypter"
+
+  strings:
+    $ENCRYPTER = "ENCRYPTER"
+    $Encrypter = "Encrypter"
+    $f_readdir = "readdir"
+    $f_fopen   = "fopen"
+    $f_pthread = "pthread"
+
+  condition:
+    filesize < 1MB and uint32(0) == 1179403647 and any of ($E*) and all of ($f*)
+}
+
+rule esxi_chacha: high {
+  meta:
+    description = "probable Linux ransomware encrypter"
+
+  strings:
+    $E_esxi    = "esxi" fullword
+    $E_chacha  = "chacha20" fullword
+    $f_readdir = "readdir"
+    $f_fopen   = "fopen"
+    $f_pthread = "pthread"
+
+  condition:
+    filesize < 128KB and uint32(0) == 1179403647 and any of ($E*) and all of ($f*)
+}
+
+rule linux_syscalls: high {
+  meta:
+    description = "possible Linux ransomware encrypter"
+
+  strings:
+    $e_Encrypt     = "ENCRYPT"
+    $e_crypto      = "crypto"
+    $e_encrypt     = "encrypt"
+    $e_chacha      = "chacha20"
+    $e_Processed   = "Processed:"
+    $e_total_files = "Total files"
+    $e_esxi        = "esxi" fullword
+    $e_vmsvc       = "vmscvc" fullword
+
+    $f_fork     = "fork" fullword
+    $f_popen    = "popen" fullword
+    $f_strcpy   = "strcpy" fullword
+    $f_closedir = "closedir" fullword
+    $f_readdir  = "readdir" fullword
+    $f_fopen    = "fopen" fullword
+    $f_pthread  = "pthread" fullword
+    $f_feof     = "feof" fullword
+    $f_opendir  = "opendir" fullword
+    $f_seek     = "fseek" fullword
+    $f_read     = "fread" fullword
+    $f_rename   = "rename" fullword
+    $f_atoi     = "atoi" fullword
+
+  condition:
+    filesize < 1MB and uint32(0) == 1179403647 and $f_readdir and 85 % of ($f*) and any of ($e*)
+}
+
+rule conti_alike: high posix {
+  meta:
+    description = "Reads directories, renames files, encrypts files"
+    filetypes   = "so,elf,macho"
+
+  strings:
+    $readdir       = "readdir" fullword
+    $rename        = "rename" fullword
+    $enc1          = "encrypted by"
+    $enc2          = "RSA PUBLIC KEY"
+    $enc3          = "Encrypting file"
+    $enc4          = "files_encrypted"
+    $enc5          = "encrypts files"
+    $enc6          = "ENCRYPTER"
+    $not_fscrypt_h = "#define _LINUX_FSCRYPT_H"
+
+  condition:
+    filesize < 512KB and $readdir and $rename and 2 of ($enc*) and none of ($not*)
+}
+
diff --git a/rules/impact/ransom/readdir_rename_encrypt.yara b/rules/impact/ransom/readdir_rename_encrypt.yara
deleted file mode 100644
index 56b616b70..000000000
--- a/rules/impact/ransom/readdir_rename_encrypt.yara
+++ /dev/null
@@ -1,21 +0,0 @@
-rule conti_alike: high posix {
-  meta:
-    description              = "Reads directories, renames files, encrypts files"
-    hash_2023_Downloads_06ab = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725"
-    hash_2023_Downloads_8b57 = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201"
-    hash_2023_Downloads_f864 = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5"
-    filetypes                = "so,elf,macho"
-
-  strings:
-    $readdir       = "readdir" fullword
-    $rename        = "rename" fullword
-    $enc1          = "encrypted by"
-    $enc2          = "RSA PUBLIC KEY"
-    $enc3          = "Encrypting file"
-    $enc4          = "files_encrypted"
-    $enc5          = "encrypts files"
-    $not_fscrypt_h = "#define _LINUX_FSCRYPT_H"
-
-  condition:
-    filesize < 1MB and $readdir and $rename and any of ($enc*) and none of ($not*)
-}
diff --git a/rules/lateral/vmware/vms.yara b/rules/lateral/vmware/vms.yara
new file mode 100644
index 000000000..d6d54a829
--- /dev/null
+++ b/rules/lateral/vmware/vms.yara
@@ -0,0 +1,12 @@
+rule vmware_vms: medium {
+  meta:
+    description = "gets a list of VMware VM IDs"
+
+  strings:
+    $ref  = "vim-cmd"
+    $ref2 = "vmsvc"
+    $ref3 = "getallvm"
+
+  condition:
+    all of them
+}
diff --git a/rules/malware/family/beast.yara b/rules/malware/family/beast.yara
new file mode 100644
index 000000000..fff272464
--- /dev/null
+++ b/rules/malware/family/beast.yara
@@ -0,0 +1,19 @@
+rule beast: critical {
+  meta:
+    description = "Beast Ransomware"
+    ref         = "https://www.cybereason.com/blog/threat-analysis-beast-ransomware"
+
+  strings:
+    $beast       = "beast.log" fullword
+    $esxi        = "esxi" fullword
+    $chacha20    = "chacha20" fullword
+    $encyrpter   = "ENCRYPTER: DAEMON"
+    $note        = "Write note in each folder"
+    $note2       = "include note from eXternal file"
+    $default_key = "default.key"
+    $BEAST       = "BEASTWASHERE"
+    $vm          = "vmsvc/getallvms"
+
+  condition:
+    filesize < 1MB and 80 % of them
+}
diff --git a/test_data/linux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple b/test_data/linux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple
index b01062a75..1671def97 100644
--- a/test_data/linux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple
+++ b/test_data/linux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple
@@ -9,6 +9,7 @@ fs/path/tmp: medium
 fs/symlink_resolve: low
 impact/ransom/note: high
 impact/services/esxcli: critical
+lateral/vmware/vms: medium
 net/p2p/tor: high
 persist/daemon: medium
 process/multithreaded: low