rule AresData_ransomware_1 {
    meta:
        description = "Detects AresData ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "10330e5e3259f68302d89918d40a64b978f767ac13638761dc16d713365ebfd5"

    strings:
        $s0 = ".aresdata" nocase
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s2 = "TOX:" nocase
        $h3 = { 8C 1A 85 AA 27 0F 47 70 }
        $r4 = /README\..{3,10}/i
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}