rule Nova_ransomware_1 {
    meta:
        description = "Detects Nova ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "9580f4c604d329342d4698381baea8e779c3ead74cb04cb3f7f9985eadbf1d50"

    strings:
        $s0 = "ENCRYPTED" nocase
        $h1 = { F7 F8 6A 03 13 D1 B2 15 B4 }
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $s3 = ".onion" nocase
        $s4 = "ENCRYPTED" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Nova_ransomware_2 {
    meta:
        description = "Detects Nova ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f73d4eb58d2c58497dec2c13d0d827cea34d1da5f98027bdddeb7c84dd11bd90"

    strings:
        $h0 = { 52 37 0E D7 D4 4B C4 3C 38 EA 27 9C 6 }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s3 = "RECOVER" nocase
        $r4 = /README\..{3,10}/i
        $h5 = { 48 40 01 16 CD 0C BD 8C 0B D6 09 95 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Nova_ransomware_3 {
    meta:
        description = "Detects Nova ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "bcb224af702cea3ee7b7b3520dd294cf8535c600063dd149076ebb09aa44e516"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h1 = { 93 83 8F 29 2A 52 B7 81 D6 D8 05 13 2A 3E 06 14 95 47 D8 }
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $s4 = "RECOVER" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}