rule WannaCry_ransomware_1 {
    meta:
        description = "Detects WannaCry ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "9b1cc0ec62ac4dfbb9d181182d30020242fc64e2a76aa6abe74eee7b7587c838"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s1 = "RECOVER" nocase
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h4 = { 18 EE 0C 47 CC 36 53 76 68 4 }
        $s5 = "DECRYPT" nocase
        $s6 = "RSA-2048" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule WannaCry_ransomware_2 {
    meta:
        description = "Detects WannaCry ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "2269ec5b17897a849d08fd2259b62464dd3da07bb1f42c5ea24a6ce4500164a9"

    strings:
        $h0 = { 7B 0E 80 C2 ED BB E3 8B 24 8B 88 2A F6 7F 88 17 EC 21 7F 0B F7 5 }
        $s1 = "ChaCha20" nocase
        $r2 = /README\..{3,10}/i
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r4 = /[A-Za-z0-9]{56}\.onion/
        $r5 = /[A-Za-z0-9]{56}\.onion/
        $h6 = { CE A6 75 15 E7 73 02 E9 4A 3B 9C 7 }
        $r7 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}