rule Pluto_ransomware_1 {
    meta:
        description = "Detects Pluto ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "33593287ecf56f422718d8fba8e6c99d143829769b22125205ad56f6b1471781"

    strings:
        $h0 = { AC B1 22 47 15 30 28 EA E7 C1 75 1F 7D CC 60 E2 C1 B }
        $h1 = { 85 AE 1D E3 9A FE 51 75 6C AD 16 47 B3 AA 23 }
        $s2 = "DECRYPT" nocase
        $h3 = { 6B 70 DB CE 7F 1A C5 BC E6 D6 28 BB 9B BF CA F }
        $s4 = "YOUR FILES" nocase
        $h5 = { 54 A9 C9 30 1D E5 25 68 BB C9 67 22 79 18 22 2 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}