rule IotaSec_ransomware_1 {
    meta:
        description = "Detects IotaSec ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "3df50bf2fa916054aea309ffd595d233897f36bdbb6f649221b7f4e768376ce2"

    strings:
        $h0 = { 5A DD C6 1B B3 66 BF D9 46 9 }
        $h1 = { E9 12 84 9D 1C 26 4A 8E 73 E6 17 20 5C 2B D5 2E E2 F5 43 E0 44 44 5F 5 }
        $r2 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule IotaSec_ransomware_2 {
    meta:
        description = "Detects IotaSec ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c728c2c468a1e334d5be418406cc1e47f8f0f484485466dc13405b7f11143a58"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $s1 = "AES-256" nocase
        $h2 = { E7 AD 8A F6 18 1F 7F 3B 6F }
        $s3 = "!!!" nocase
        $h4 = { 3A 75 E0 48 23 92 A4 84 54 A9 21 60 F6 03 33 BA 81 5B AF B3 3 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule IotaSec_ransomware_3 {
    meta:
        description = "Detects IotaSec ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b482bddc09994b32595a3145b0e380578df39a4d6b8ca5d3fec81c63bf13f80c"

    strings:
        $h0 = { CE 2A D9 B3 EE 51 38 14 16 04 75 BA D5 C1 4B D6 3C FF BC 97 63 }
        $s1 = "Do not rename" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s3 = "RECOVER" nocase
        $h4 = { 50 1A FC 83 B1 47 5D 36 A2 F9 60 F7 46 EE 0E E8 2B D0 98 A8 BB D4 }
        $h5 = { 1B 33 02 F3 70 6A 01 8B EB 93 82 64 02 2E F1 C2 98 F7 BE 20 29 29 F9 8 }
        $s6 = "BITCOIN" nocase
        $h7 = { 61 4F 03 79 4F D6 F9 74 C4 3B 5A 30 04 AB C7 04 B4 D4 20 1C }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}