rule Hypnos_ransomware_1 {
    meta:
        description = "Detects Hypnos ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "1325e6683ed5422edae75e7fb51b24cf4633738b1dd159af36ff5348498cafb7"

    strings:
        $r0 = /README\..{3,10}/i
        $s1 = "ChaCha20" nocase
        $s2 = "README" nocase
        $r3 = /README\..{3,10}/i
        $h4 = { 14 53 1F 4A 2C 8B 06 0A 1 }
        $s5 = ".onion" nocase
        $r6 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule Hypnos_ransomware_2 {
    meta:
        description = "Detects Hypnos ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "2ad004bf84f1a65919a7c562a037ee8bbb09b4d88233f19e830943752db56f7a"

    strings:
        $s0 = "Hypnos" nocase
        $h1 = { 13 A8 80 C6 D6 CC 2A F9 DC 66 31 09 B3 30 A0 41 48 1 }
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $s3 = ".hypnos" nocase
        $h4 = { CE 98 24 F9 23 D2 29 35 34 81 74 A }
        $h5 = { FE 1D C5 92 0D 2D 2D 24 34 6B 5A E6 4C 8 }
        $s6 = "Do not rename" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}