rule crime_ransomware_windows_GPGQwerty: crime_ransomware_windows_GPGQwerty { meta: author = "McAfee Labs" description = "Detect GPGQwerty ransomware" reference = "https://securingtomorrow.mcafee.com/mcafee-labs/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard/" strings: $a = "gpg.exe –recipient qwerty -o" $b = "%s%s.%d.qwerty" $c = "del /Q /F /S %s$recycle.bin" $d = "cryz1@protonmail.com" condition: all of them }