rule RansomCortex_ransomware_1 {
    meta:
        description = "Detects RansomCortex ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "05ecdaa1807e5f212b72510b600362916afcd6baff398283f7a05f9802d5b3dc"

    strings:
        $s0 = "PAYMENT" nocase
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $h2 = { D7 32 82 B1 5E F5 15 78 D }
        $s3 = "ENCRYPTED" nocase
        $s4 = "Do not modify" nocase
        $h5 = { DC F7 AF 1B 28 C3 41 41 D }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule RansomCortex_ransomware_2 {
    meta:
        description = "Detects RansomCortex ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "9978a522893525e064fbb18d2fcf3480c74309377f2fce84c0bdcf3e655c8b39"

    strings:
        $s0 = "RansomCortex" nocase
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s2 = "Do not rename" nocase
        $h3 = { B1 0C FB A6 06 8C 97 E3 EF 2F 0A 70 A }
        $s4 = "AES-256" nocase
        $h5 = { 50 B4 6C 12 6C 64 CA 58 A2 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule RansomCortex_ransomware_3 {
    meta:
        description = "Detects RansomCortex ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f4b41ee7566b2906f1d9624b4669940488b14e7f4f89ce30024d1a8b7fef57e1"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $s1 = "!!!" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}