rule DeltaAttack_ransomware_1 {
    meta:
        description = "Detects DeltaAttack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "7de0f8ec430be246ffd39c7de30251e21a9565d407e8f3492796bddd9862e627"

    strings:
        $h0 = { 01 C9 D7 73 1F 58 C1 58 8C EF 45 9C 6D 79 F8 56 06 81 53 4D 13 BB 84 AE }
        $h1 = { 46 0F E8 49 79 FC 78 D7 1D E7 2B B8 B }
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r3 = /README\..{3,10}/i
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}