rule NW_Generation_ransomware_1 {
    meta:
        description = "Detects NW Generation ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "aee2ca727ff8180145e5e8b7dbde49c46a2c28bf2d7dbc8d253964d3dff7aa9f"

    strings:
        $h0 = { 32 6F 92 12 DD FD A7 58 69 94 9F BE 64 2C 53 C6 5E A1 }
        $r1 = /README\..{3,10}/i
        $h2 = { BF 1F 8E DE D1 4F 02 89 2E B3 B4 E9 5 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}