rule Babuk_ransomware_1 {
    meta:
        description = "Detects Babuk ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b6ed7b81cfb5d0db97475b94e3620e9221545ccdb0242419b06644163c49effb"

    strings:
        $s0 = "Do not rename" nocase
        $r1 = /README\..{3,10}/i
        $r2 = /README\..{3,10}/i
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}