rule Anomaly_ransomware_1 {
    meta:
        description = "Detects Anomaly ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "761f6670acf9b17a2a20c07d1839a0f7964eebcb7ca4442851f8a0e9943b0f4c"

    strings:
        $h0 = { A9 B8 B2 86 6A 92 5D AB 0E 7E 47 1C 02 A1 2E BF 2D A2 1B 83 7 }
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h2 = { AB ED 83 9C 59 5A 8A FB 37 80 DD FA 5E C1 }
        $r3 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule Anomaly_ransomware_2 {
    meta:
        description = "Detects Anomaly ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "3165ec7b466c7d6a74ef94b73558701a4d075bd25d827b65a34710da016bc132"

    strings:
        $h0 = { 69 26 90 F0 EB B2 82 6B 05 }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $h2 = { 70 3B 4E 4D 71 B7 8B F0 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}