rule DeadBolt_ransomware_1 { meta: description = "Detects DeadBolt ransomware" author = "RansomwareMonitor" date = "2026-03-06" hash = "3c39ca86caf41b8c590f9b0d539cb7cc614ddc0f4c940b258777061360c8d015" strings: $s0 = "DeadBolt" nocase $s1 = "DECRYPT" nocase $s2 = "TOX:" nocase $h3 = { 04 56 68 EE 02 69 1E 2F 21 4B D8 9C 6F B6 BA 99 5D 8C 07 98 3D 0D 2 } $h4 = { 2C DE 19 BF 2E 34 BC 89 73 20 09 FD FC D0 9D 31 E } $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/ $h6 = { 0C D1 BA 85 BD 1E 2F 80 F7 97 0F 12 07 C9 1E 29 43 6B C1 9F 7E BA B } $h7 = { E6 1D D1 C1 1F 6B F8 1B 78 AF FA 69 F7 6C A4 E8 11 5E 85 B3 44 62 22 } condition: uint16(0) == 0x5A4D and filesize < 5MB and 4 of them } rule DeadBolt_ransomware_2 { meta: description = "Detects DeadBolt ransomware" author = "RansomwareMonitor" date = "2026-03-06" hash = "f424ea86a2ffb5fabd16aa205b5d8cef7687dc12a5d847bea8f7145ee847325f" strings: $h0 = { 42 53 44 57 9C 52 56 25 25 22 39 D3 B0 60 81 0 } $s1 = "Do not modify" nocase $h2 = { 60 2D 69 67 3B A7 EC F0 DA E5 FC 3B 55 44 14 46 12 03 28 88 5B C0 6D } $h3 = { 17 81 14 32 FD CE 5A 95 31 80 A8 0F 85 1D 4D 0B A9 89 FD 9D } condition: uint16(0) == 0x5A4D and filesize < 5MB and 2 of them } rule DeadBolt_ransomware_3 { meta: description = "Detects DeadBolt ransomware" author = "RansomwareMonitor" date = "2026-03-06" hash = "8c6ec49245d0ff32bd728e00430324dcaf821f3a1fb1923975e203de7df7aa58" strings: $h0 = { 81 87 26 8A 2A 22 74 22 1C 08 0B E7 5E 7C 8B AB 22 EA 86 C9 6 } $s1 = "YOUR FILES" nocase $s2 = "TOX:" nocase $r3 = /README\..{3,10}/i $r4 = /[A-Za-z0-9]{56}\.onion/ $s5 = "::::" nocase $r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/ $h7 = { EE F3 21 39 2C C6 4B 46 07 56 77 55 5D F9 4E F0 E1 C3 A8 CE 6C 34 } condition: uint16(0) == 0x5A4D and filesize < 5MB and 4 of them }