rule Error_ransomware_1 {
    meta:
        description = "Detects Error ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f15779f8dbcb954d51656753de466ecbed24009384fcf5c3247f059e7fa3f0cd"

    strings:
        $h0 = { D0 C9 48 DA F1 94 03 87 C7 EB 57 F5 39 70 15 06 8 }
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s2 = "PAYMENT" nocase
        $s3 = "AES-256" nocase
        $r4 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}