rule REvil_Sodinokibi {
    meta:
        description = "Detects REvil/Sodinokibi ransomware"
        author = "Security Research"
    strings:
        $s1 = "sodinokibi" ascii nocase
        $s2 = "Welcome. Again." ascii
        $s3 = "expand 32-byte k" ascii
        $cfg = "{"pk":" ascii
    condition:
        uint16(0) == 0x5A4D and 2 of them
}