rule Medusa_v2_ransomware_1 {
    meta:
        description = "Detects Medusa v2 ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "7b6028f5b631ec714ed14af748216ed58d73bca8d6a44f16d2220804a4304801"

    strings:
        $s0 = "RECOVER" nocase
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $h2 = { FE AF B6 C9 21 C2 52 C6 35 8C 1C 31 B3 22 08 AC 08 86 2F 87 94 F }
        $s3 = "ChaCha20" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Medusa_v2_ransomware_2 {
    meta:
        description = "Detects Medusa v2 ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "6e0793edfc902d10498c63ec1a9701b5777b0c21578a7eb48970ef6275bfa829"

    strings:
        $s0 = ".onion" nocase
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = ".medusa_v2" nocase
        $h3 = { 22 04 99 A5 67 35 2E 96 3C B2 22 EA 14 1D 24 C2 93 66 79 FA A6 0F 20 }
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r5 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule Medusa_v2_ransomware_3 {
    meta:
        description = "Detects Medusa v2 ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "06efe8febadbcbb5b45ac1c520d623c53321fd3310b49fbf91af83de568c2f8f"

    strings:
        $s0 = "DECRYPT" nocase
        $h1 = { 23 D1 21 C9 B3 62 CA 3F 66 3A 38 }
        $h2 = { FE 78 D9 7B 7A A1 0C 00 FD 60 3A }
        $h3 = { 21 51 3F 11 3B 7C E2 6A 2D 38 69 C4 BF A4 7D 5D 34 31 48 C2 65 6 }
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r5 = /[A-Za-z0-9]{56}\.onion/
        $r6 = /[A-Za-z0-9]{56}\.onion/
        $h7 = { 42 70 53 95 E7 91 64 15 5D 30 0F }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}