rule Locky_ransomware_1 {
    meta:
        description = "Detects Locky ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "918dbea554d86ed3c709e8f4a8fd89be50ddc796aba7addf76bbee90a98c4abd"

    strings:
        $h0 = { 6C 19 24 D5 5B D4 97 99 26 25 C7 09 8D C3 03 3C B4 EC F1 7A 6B 03 5 }
        $r1 = /README\..{3,10}/i
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s3 = "Do not rename" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Locky_ransomware_2 {
    meta:
        description = "Detects Locky ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "596a112792a99cd3e4131d72b0bf9a23cdd2e480019c21c43ec1996468f0530a"

    strings:
        $s0 = "Locky" nocase
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = "BITCOIN" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Locky_ransomware_3 {
    meta:
        description = "Detects Locky ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f0e50054f3ef5e74ee72ec3d8e80e1cfcd13cbf231659b1c45f3c9683039aa4d"

    strings:
        $h0 = { CB 60 E7 46 C8 BA 4B 43 09 F9 52 23 95 4C 71 6B 82 4D 64 85 D7 E }
        $r1 = /README\..{3,10}/i
        $r2 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}