rule Apos_Security_ransomware_1 {
    meta:
        description = "Detects Apos Security ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "9abef4b6daa7b13efec5de44beb5a5ac025baf49fb83b50d201619be6de57a56"

    strings:
        $h0 = { C7 A5 C1 A8 11 17 CB 8F DC 25 EC CD D9 C9 32 DF 60 2C CA E0 F }
        $h1 = { 32 A6 9E C3 99 E9 45 E6 6D B3 06 39 F }
        $s2 = "Apos Security" nocase
        $s3 = ".apos_security" nocase
        $h4 = { CE 4A C2 11 40 5C BE 6B 87 8F E8 E4 19 89 84 02 83 3 }
        $r5 = /README\..{3,10}/i
        $h6 = { 62 1E 93 E1 2D BC 88 B2 74 A3 }
        $r7 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule Apos_Security_ransomware_2 {
    meta:
        description = "Detects Apos Security ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "7d3a473f48c498026d432064044c7f7f539ca3343785b9470fa2c0647dab25ed"

    strings:
        $h0 = { 69 47 57 B3 69 9F 12 BF 52 BB EB CD 37 3D FB 96 F0 D0 45 DC F4 6 }
        $h1 = { 66 29 B0 C6 BC EA 5D 9C 60 DA 5A DF E6 00 81 B0 88 72 FC D8 5F 0 }
        $h2 = { 53 E7 A4 D5 CE F5 42 CF F1 76 31 }
        $r3 = /README\..{3,10}/i
        $h4 = { 04 62 B5 2C F3 15 6B A5 C2 B7 09 8A 8 }
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}