rule Rhysida_ransomware_1 {
    meta:
        description = "Detects Rhysida ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "18d5e778dac4f405d8971fa31bd6dead63dcc43d93a93c63f73f45fde9a002f9"

    strings:
        $h0 = { 9D DC 53 3E E0 1E D7 D2 32 62 EB 41 }
        $s1 = "Do not rename" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h3 = { 19 80 E0 DA 95 96 66 4E }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}