rule DiscordLock_ransomware_1 {
    meta:
        description = "Detects DiscordLock ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "50d132b929b9b24511f520725eb829e257fb1e79d8be4c24e916c10e52507ee1"

    strings:
        $h0 = { 29 0D 56 49 0F 70 93 88 98 94 EB 7E 36 F0 E9 34 }
        $s1 = "ENCRYPTED" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule DiscordLock_ransomware_2 {
    meta:
        description = "Detects DiscordLock ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b86ec3718055bf135865713ceca089346310462a27f77eb2ffa7fbdd3a17fce4"

    strings:
        $s0 = "DiscordLock" nocase
        $h1 = { 12 7F 04 A7 83 71 E9 02 EE 98 E0 3D 8A DC 4E 11 C0 A4 AB C3 96 5A 29 }
        $r2 = /README\..{3,10}/i
        $h3 = { 1D 6E 51 AE C4 EC 8B C0 3F 7C 8A 8B 29 FA 13 17 07 8E C3 EB 4D }
        $r4 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}