rule Kappa_ransomware_1 {
    meta:
        description = "Detects Kappa ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "bdb3cb3baf63317beb6e26a8cb1172004e0040d4677e63359653d7efd57fede9"

    strings:
        $s0 = "::::" nocase
        $h1 = { A4 14 9F E1 7D 03 75 DB EB 42 CB DD 13 }
        $s2 = "DECRYPT" nocase
        $h3 = { D2 60 83 FB 28 6C E1 97 8D 9F 95 2B 46 D5 6A 3B 61 67 33 3 }
        $h4 = { C0 16 14 69 95 07 30 9B 7A 6 }
        $s5 = ".kappa" nocase
        $h6 = { 59 58 BA 25 55 A4 31 AD F2 F7 39 DC 58 1D 8B BF }
        $h7 = { 49 98 67 D4 6F 7A 42 E9 C6 A9 69 FF EF 00 00 1 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}