rule Epsilon_ransomware_1 {
    meta:
        description = "Detects Epsilon ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "984f1312125c3d582bfabc8036e77d299d3f0fbf83f87747e778c7509858ea30"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h1 = { 25 9F BC F7 1D DC 8E A4 54 7 }
        $s2 = "RSA-2048" nocase
        $h3 = { E9 FE 6D 6C 0B 61 F0 07 0E BE }
        $s4 = "DECRYPT" nocase
        $h5 = { 56 13 E6 C8 25 DB 8C AF 3A 33 5C 9E 47 B2 DE D }
        $r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Epsilon_ransomware_2 {
    meta:
        description = "Detects Epsilon ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f88c77de8efbea70ffad82c7910cee5c44bd5227f146102f5ee22f218e4aa5eb"

    strings:
        $h0 = { AB 09 64 24 45 98 28 B5 01 1D 0 }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = ".onion" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Epsilon_ransomware_3 {
    meta:
        description = "Detects Epsilon ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "814f84e8936932763064e75ae71a6eb5222baa1aece389e1faf1c833eb90b39c"

    strings:
        $h0 = { C3 DF B6 0C 09 ED 0B EE FF 2D D9 FA 65 36 F8 C0 5A }
        $h1 = { FD D8 70 C9 59 0F E3 26 65 75 7E 7B 77 A8 07 97 C9 B9 C7 }
        $s2 = "Do not rename" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}