rule UtopiaTeam_ransomware_1 {
    meta:
        description = "Detects UtopiaTeam ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "e7cde8cb3bbbd103bbc34073adb4c40de43e203cbfc68fed7c5a08a4bf33fadf"

    strings:
        $s0 = "!!!" nocase
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h2 = { C2 7E DD 5C 55 74 78 13 79 91 4D 8B AC 88 78 42 52 B }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule UtopiaTeam_ransomware_2 {
    meta:
        description = "Detects UtopiaTeam ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "974a76506cf0c3f86c54bd9c8657f3bde84a3a0bf89f7ca0c33615b7a7b1f7b1"

    strings:
        $s0 = "Do not modify" nocase
        $h1 = { A5 73 84 67 40 BE FE B4 EE F3 EF 1E 2F 0 }
        $h2 = { B7 04 F2 1B 16 B3 B0 7E 12 9B E9 4C A4 15 5A 29 80 A7 DD CA 44 D2 EE }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}