rule Storm_ransomware_1 {
    meta:
        description = "Detects Storm ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "781c0c78e5d42a317758e35ce376564cda4eea8c3892a9fd767a780f6355d1bf"

    strings:
        $s0 = ".storm" nocase
        $r1 = /README\..{3,10}/i
        $h2 = { 63 49 26 C0 86 F8 7E 7B 2C A7 1F D0 48 C1 7C 9D 4E 65 14 BA 8F C }
        $r3 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Storm_ransomware_2 {
    meta:
        description = "Detects Storm ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "9d7607be353a2c334b4733801878466629d4c076504abca50e2063654929af69"

    strings:
        $h0 = { 89 E4 EA C3 7F CD 3F 08 B5 20 93 BC 9A C2 51 BE 6F 3D }
        $h1 = { D3 E3 BF 76 61 02 3C F1 BE }
        $s2 = "AES-256" nocase
        $s3 = "RECOVER" nocase
        $h4 = { B0 BA 67 41 71 5A D5 9B AA 5 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule Storm_ransomware_3 {
    meta:
        description = "Detects Storm ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "13f595f2c07bc96a1f030b39f6cf19a676061931b4a7798baf58ccfd0b354213"

    strings:
        $r0 = /README\..{3,10}/i
        $s1 = "README" nocase
        $h2 = { E6 6C B1 11 51 DB EE 45 72 45 AB C8 86 3A }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}