rule Cartel_ransomware_1 {
    meta:
        description = "Detects Cartel ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "79f1e48f2310943a525389fdb067464e11de88ae60fc9928a2bd11c73eaa07c4"

    strings:
        $h0 = { 41 63 0A 3C 44 BD 96 CD 82 96 90 97 10 D4 38 44 }
        $r1 = /README\..{3,10}/i
        $s2 = "ENCRYPTED" nocase
        $h3 = { 75 4E 79 FD 11 D2 0C 05 EC 96 E3 41 9A CA 53 1 }
        $s4 = "README" nocase
        $h5 = { 2A A0 B4 19 59 D9 80 B6 18 26 96 0E 9F 00 1B BA 7D FF E2 6F 4 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}