rule LockBit3_Ransomware {
    meta:
        description = "Detects LockBit 3.0 ransomware artifacts"
        author = "Security Research"
        date = "2024-01-01"
    strings:
        $s1 = "lockbit" ascii nocase
        $s2 = ".lockbit" ascii
        $s3 = "restore-my-files.txt" ascii nocase
        $mutex = "Global\\{BEF461A8-" ascii
    condition:
        uint16(0) == 0x5A4D and 2 of them
}