rule Ragnar_Locker_ransomware_1 {
    meta:
        description = "Detects Ragnar Locker ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "744cb3774a84dfeae7423a9be044badc3cd2fff4c72922d291e3f0a80fe458e5"

    strings:
        $s0 = "TOX:" nocase
        $s1 = "DECRYPT" nocase
        $s2 = "PAYMENT" nocase
        $s3 = ".ragnar_locker" nocase
        $s4 = "AES-256" nocase
        $h5 = { 3D 2A DA 5D 6E 7F 16 D6 09 60 91 76 4A 13 E9 35 B9 63 }
        $s6 = "DECRYPT" nocase
        $h7 = { 25 8C 11 47 6A 28 4B 03 1B A6 94 3E CE 38 6B 02 2B 9B DB 87 35 CF D }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}