rule Clop_Ransomware {
    meta:
        description = "Detects Cl0p ransomware"
        author = "Security Research"
    strings:
        $s1 = "ClopReadMe" ascii
        $s2 = "Cl0p" ascii
        $s3 = ".Clop" ascii
        $s4 = "YOUR NETWORK HAS BEEN PENETRATED" ascii
    condition:
        uint16(0) == 0x5A4D and 2 of them
}

rule Cl0p_ransomware_1 {
    meta:
        description = "Detects Cl0p ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "fd2a584a88c8aa1c82b35ce89be3fce0a87dc09f4487ca3d11a4038a58e547c1"

    strings:
        $s0 = "::::" nocase
        $s1 = "RECOVER" nocase
        $h2 = { DD 74 55 81 57 FB 5B EF 7C D0 A0 99 26 70 84 F9 57 A3 }
        $h3 = { 77 B7 26 D7 17 B2 A3 08 F0 40 AA 2E A3 B4 B1 52 40 }
        $h4 = { D6 FB 44 83 AC 36 25 C3 13 EA E2 84 E1 FC }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule Cl0p_ransomware_2 {
    meta:
        description = "Detects Cl0p ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "e5f2d819fd0b24540b3620751200a980535d121955b8e66d0d3efc382cf7d469"

    strings:
        $r0 = /README\..{3,10}/i
        $s1 = "YOUR FILES" nocase
        $s2 = "!!!" nocase
        $h3 = { B4 0A 93 77 F0 4E B5 D7 60 9C 95 F1 CA A6 74 88 B0 EB ED }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}