rule Dharma_CrySIS_ransomware_1 {
    meta:
        description = "Detects Dharma/CrySIS ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "11487448095aaf187373de51ab7916fc34145a88dd8e723288b826799da72d9a"

    strings:
        $s0 = "YOUR FILES" nocase
        $h1 = { E0 C5 E0 86 40 8A 07 7B D9 46 6B 01 4D 76 FA F3 F3 FA 79 }
        $h2 = { FC DD 0D 24 9C 98 DF 42 A5 }
        $h3 = { 84 84 17 35 62 3C 2F A4 17 B3 59 DC 50 5B 33 4D CD 3B 76 51 DF 4 }
        $s4 = "TOX:" nocase
        $s5 = "Dharma/CrySIS" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule Dharma_CrySIS_ransomware_2 {
    meta:
        description = "Detects Dharma/CrySIS ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "fcbd80c1e747d76c4e15108e7f330d7f86e5d5644353d1d90496c7b1af2d9607"

    strings:
        $s0 = "Do not modify" nocase
        $h1 = { F4 82 A0 55 66 95 F4 2C 05 6 }
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $s4 = "PAYMENT" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Dharma_CrySIS_ransomware_3 {
    meta:
        description = "Detects Dharma/CrySIS ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "686a84ea22fb9f5d007702cd4443702c736c6f34839d1e9d5c01c9dfbea17b5c"

    strings:
        $s0 = "BITCOIN" nocase
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s2 = "RSA-2048" nocase
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $r4 = /[A-Za-z0-9]{56}\.onion/
        $r5 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}