rule INC_v3_ransomware_1 {
    meta:
        description = "Detects INC v3 ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "93acb019aaae1d36c6897c42bcea04951d59c6b5a584d273c4533216f3d34289"

    strings:
        $h0 = { 96 C5 11 35 F8 45 71 B6 50 43 51 0A 4F EA A0 4C 99 6B A7 24 48 95 1F }
        $h1 = { DC DC 38 A4 6A F2 41 A2 F1 59 2E CC B3 F7 C }
        $r2 = /README\..{3,10}/i
        $s3 = "Do not rename" nocase
        $h4 = { 17 90 6F F0 AC 9A 80 E8 71 74 FE B }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule INC_v3_ransomware_2 {
    meta:
        description = "Detects INC v3 ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f1b3399a32442cc9c017e7d38afb6c1e3c4d38da51f291a3925021484f984a42"

    strings:
        $s0 = "README" nocase
        $s1 = "DECRYPT" nocase
        $h2 = { 5B F5 5B BD 48 D9 AC 7A 75 16 EB 28 FE 81 0E 7A 2B 7B 4C 2D 7 }
        $h3 = { DC 36 92 98 F8 4E 4F 4B 94 1B 88 94 82 33 E7 BE 64 34 68 6A }
        $h4 = { AB 82 37 F1 E6 A3 9A 0B 8D 9F C8 5B 20 }
        $r5 = /[A-Za-z0-9]{56}\.onion/
        $h6 = { 1D B3 12 91 ED 18 FD 36 87 5B 55 E6 5D BC DF 03 2E F9 FE D6 EE DC B }
        $h7 = { 72 8A BE DB 3F 29 C2 B8 63 7A }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule INC_v3_ransomware_3 {
    meta:
        description = "Detects INC v3 ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a80875a51f4087a2b980ec9f2d558f5442704f4c135c58b267db4e8357ac8642"

    strings:
        $h0 = { DE 1D CA 57 8A 92 27 1F 89 78 03 9F EA A9 31 79 B9 AC 2B B0 }
        $s1 = "PAYMENT" nocase
        $s2 = "YOUR FILES" nocase
        $r3 = /README\..{3,10}/i
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r5 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}