rule Cloak_ransomware_1 {
    meta:
        description = "Detects Cloak ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f811299561a06a86a68ea883f5a7b45eb993f1d0464849d9f922e0b344c6c616"

    strings:
        $r0 = /README\..{3,10}/i
        $r1 = /README\..{3,10}/i
        $s2 = "AES-256" nocase
        $h3 = { DB 03 C2 D3 2F 39 46 EA B0 65 24 C3 F0 90 39 A9 }
        $r4 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}