rule YakuzaTeam_ransomware_1 {
    meta:
        description = "Detects YakuzaTeam ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "833f366155daa38d2fec9867c450c8dd528187f5ecdc4c8b5d855110954fb2be"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h2 = { D7 E0 E1 06 ED D8 0A 14 49 75 D9 6E 48 52 3C 44 }
        $h3 = { F4 29 27 41 DC B7 83 B1 F9 C1 79 F7 73 C6 77 60 A }
        $s4 = "BITCOIN" nocase
        $h5 = { 3D DF 1B 8E A1 0C 9B 94 B3 B }
        $h6 = { 1E 2B 10 19 DB F8 07 38 B }
        $h7 = { DD 1B 79 D7 7F A9 65 EC DF }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule YakuzaTeam_ransomware_2 {
    meta:
        description = "Detects YakuzaTeam ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c0286b6bb3e48990e043ebae5f1ff2acd5e66daaf1c6ec91ff0ab8c1e57eda53"

    strings:
        $s0 = ".yakuzateam" nocase
        $s1 = "::::" nocase
        $r2 = /README\..{3,10}/i
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s4 = "RECOVER" nocase
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}