rule Abyss_ransomware_1 {
    meta:
        description = "Detects Abyss ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "d5b4adc1a5b2bb28b09e06bbcf6044cece12b0d93b351ba9e02589843a01bcde"

    strings:
        $s0 = "Do not modify" nocase
        $h1 = { 89 AD EA 78 79 64 62 19 59 8A 35 86 65 DA C1 C8 22 85 CC A8 FD F }
        $r2 = /README\..{3,10}/i
        $s3 = "DECRYPT" nocase
        $h4 = { 55 E7 7D A2 66 46 BE 53 4A 80 5A 8F B6 91 FC E0 C5 D3 BA B8 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}