rule Ryuk_Ransomware {
    meta:
        description = "Detects Ryuk ransomware"
        author = "Security Research"
    strings:
        $s1 = "RyukReadMe" ascii
        $s2 = "Gentlemen!" ascii
        $s3 = "UNIQUE_ID_DO_NOT_REMOVE" ascii
    condition:
        uint16(0) == 0x5A4D and 2 of them
}