rule Flux_ransomware_1 {
    meta:
        description = "Detects Flux ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "4ba6810ed7a3c87529c253aac26ca4d232f442b57fce9319744d6fc022464359"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $s1 = "RSA-2048" nocase
        $h2 = { 97 C6 4B 77 0C 28 D1 61 4F 94 0C 71 DE 7 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Flux_ransomware_2 {
    meta:
        description = "Detects Flux ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a6b4b0e7f5523e45621fa9546363f3cefaa7f07b9975c144b2a31b7a01480aa3"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h1 = { FA 44 DB 80 FC BB 9D A8 C1 30 B2 D5 5D F5 1 }
        $h2 = { 2B E7 D6 8D C0 4E 2B 7B 1 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}