rule Interlock_ransomware_1 {
    meta:
        description = "Detects Interlock ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "235de1054e2a347903b94314a904e8632fdf4ed9b80787d85902be7ef1b304c8"

    strings:
        $r0 = /README\..{3,10}/i
        $h1 = { 28 5B 16 B9 27 E2 6C 24 F1 34 50 33 5 }
        $h2 = { 46 7C 71 A3 DB A6 B5 77 E8 4E E9 C1 77 84 C9 F4 9C 5E 1F B5 }
        $r3 = /README\..{3,10}/i
        $h4 = { FA 95 0E 57 A0 DC 10 49 6E 71 A0 BA B9 18 74 6E 6B E4 1D 1F 8E 7C 39 D7 }
        $h5 = { AA 31 E3 52 A5 41 5C CF 69 C }
        $r6 = /[A-Za-z0-9]{56}\.onion/
        $r7 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}