rule Hive_Ransomware {
    meta:
        description = "Detects Hive ransomware"
        author = "Security Research"
    strings:
        $s1 = "HOW_TO_DECRYPT" ascii
        $s2 = "hive" ascii nocase
        $s3 = ".key." ascii
    condition:
        uint16(0) == 0x5A4D and 2 of them
}

rule Hive_ransomware_1 {
    meta:
        description = "Detects Hive ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f0e21a344833d8440f2f9f0c00151fdb5b464f0923815b1249ce052d6f110b56"

    strings:
        $h0 = { C6 A1 75 26 25 6E FA 44 86 22 44 34 8E 24 7C 46 2B F7 C }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = ".onion" nocase
        $r3 = /README\..{3,10}/i
        $s4 = "RSA-2048" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}