rule HelloKitty_ransomware_1 {
    meta:
        description = "Detects HelloKitty ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "31704a0f54596290257ee2e225c6610c0313e7f00093f3bab3ab52c94f1575f0"

    strings:
        $h0 = { F5 95 B3 40 ED DA 60 BC 8 }
        $r1 = /README\..{3,10}/i
        $h2 = { 7D 6A F6 C6 F5 00 A0 4C 1D FC C3 89 0B E8 77 01 A }
        $h3 = { 5D B0 E2 68 33 98 E1 27 7 }
        $h4 = { B8 B1 CC 41 C7 3E 47 6D 8E C1 C }
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule HelloKitty_ransomware_2 {
    meta:
        description = "Detects HelloKitty ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "54eaf148eb62de32f0cd1456b7fb95e5ef6389bec27b0b0e28d0442edb970d99"

    strings:
        $h0 = { 44 6B 56 76 EF F3 96 EC 7E 4D 2 }
        $s1 = "AES-256" nocase
        $s2 = "README" nocase
        $h3 = { DB F7 EB 6E C5 BB 4D 78 37 B1 04 E3 FC 67 D6 89 7D 4 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule HelloKitty_ransomware_3 {
    meta:
        description = "Detects HelloKitty ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "6de795b498606832f6c16729b10e3c362e213b109315dbb11ebd7cdaae8ccbeb"

    strings:
        $h0 = { 93 C6 86 D7 BF 37 72 BB C6 72 D6 72 0A E1 }
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s3 = ".onion" nocase
        $s4 = "HelloKitty" nocase
        $r5 = /[A-Za-z0-9]{56}\.onion/
        $r6 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}