rule Cl0p_MOVEit_Campaign_ransomware_1 {
    meta:
        description = "Detects Cl0p MOVEit Campaign ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "cc01be9ca2e372a5d2076b2e0857f5389e2d53eabf0d5c8ac2b5637c8531b0f9"

    strings:
        $r0 = /README\..{3,10}/i
        $s1 = "BITCOIN" nocase
        $r2 = /README\..{3,10}/i
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $h4 = { 33 BB 42 FB 5E F2 7B 66 07 E9 59 31 B9 BB CE E2 51 BC C }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}