rule Chaos_ransomware_1 {
    meta:
        description = "Detects Chaos ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "d8d9639268aad84f3b91a4b71dcf9143bda932da005bc708a920bcb874e44c81"

    strings:
        $s0 = "BITCOIN" nocase
        $s1 = ".chaos" nocase
        $r2 = /README\..{3,10}/i
        $h3 = { 68 C9 59 EC E6 21 C3 77 FD 16 27 A6 2E CB D8 6D 58 4D 42 79 5E 0B 8 }
        $s4 = "AES-256" nocase
        $h5 = { F6 65 BF 74 04 69 0C 19 55 }
        $s6 = "RECOVER" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}