rule OracleData_ransomware_1 {
    meta:
        description = "Detects OracleData ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "6213d92ade9221d221c3b27d8c6d2104fefc33cae7021cbb3796fc9594555195"

    strings:
        $s0 = "README" nocase
        $h1 = { B6 27 C1 26 1B DF DC 18 E8 C }
        $r2 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule OracleData_ransomware_2 {
    meta:
        description = "Detects OracleData ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "0bd3681d2762482db1eee99d20fab70ca503593431a48226738d1a3187171671"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = "PAYMENT" nocase
        $s3 = "PAYMENT" nocase
        $h4 = { B2 CA 01 F7 D6 2F 73 8A 84 75 A6 42 41 DD DB 2F }
        $s5 = "BITCOIN" nocase
        $h6 = { 7D CC 82 85 12 45 52 38 86 09 5F CA B7 96 E4 18 5B }
        $s7 = "BITCOIN" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule OracleData_ransomware_3 {
    meta:
        description = "Detects OracleData ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "e0e66c23f45f05e17508610ca607af120f4dab438c5ee42e25fe7b3365af66fc"

    strings:
        $s0 = ".onion" nocase
        $s1 = "README" nocase
        $h2 = { 10 30 14 D5 BC 4D ED 6E F7 2C CF D1 88 7D 9F 60 4A 59 FE 55 4D }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}