rule Mjolnir_ransomware_1 {
    meta:
        description = "Detects Mjolnir ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "af8393d66093cb9787d8f16c8dd533d49b0a659325945cf73d9c3b0c6bd0fa35"

    strings:
        $h0 = { 7D 47 70 4F B0 6A CE 5E 10 C3 78 D7 63 64 }
        $r1 = /README\..{3,10}/i
        $s2 = "::::" nocase
        $h3 = { 0A 4F FE E4 09 45 9A 74 16 C4 51 68 E2 4A 72 43 B }
        $s4 = "Mjolnir" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule Mjolnir_ransomware_2 {
    meta:
        description = "Detects Mjolnir ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c0aaaea27f409474af03fd0105c29933d4ffc990598d4de2cd944d9ace2fd91c"

    strings:
        $s0 = "ENCRYPTED" nocase
        $h1 = { 93 93 C3 F9 9B DD 97 50 A1 10 F9 28 BA F5 55 65 96 }
        $h2 = { B5 CF FC B9 64 77 56 D3 92 }
        $s3 = ".mjolnir" nocase
        $s4 = ".mjolnir" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}