rule ScorpionWare_ransomware_1 {
    meta:
        description = "Detects ScorpionWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "112d3deee1b921168d7c1b4c2f27d2062fa1101aeec2b27339a2b93eb3638377"

    strings:
        $s0 = "AES-256" nocase
        $s1 = "YOUR FILES" nocase
        $s2 = "Do not modify" nocase
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s5 = "ENCRYPTED" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule ScorpionWare_ransomware_2 {
    meta:
        description = "Detects ScorpionWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "981af184244ebfd25c7e3d4f04565768d193ffe49e25844543403919d5059b77"

    strings:
        $s0 = "DECRYPT" nocase
        $s1 = ".onion" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r3 = /README\..{3,10}/i
        $s4 = ".onion" nocase
        $s5 = "::::" nocase
        $s6 = "DECRYPT" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule ScorpionWare_ransomware_3 {
    meta:
        description = "Detects ScorpionWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a225f25a271aac7b6b28d927d46b9dca66004c60bbc81689e88236d773546821"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $h1 = { D8 52 6B 7A 5E 72 13 C0 93 31 4C 71 B3 4 }
        $h2 = { 1C E5 F1 10 F8 54 E4 36 D7 AD 32 62 5A 83 14 7C 75 5 }
        $s3 = "ENCRYPTED" nocase
        $s4 = "README" nocase
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}