{"group":"monti","count":1,"rules":[{"rule_name":"monti.yar","rule_text":"rule Linux_Ransomware_Monti_9c64f016 {\n    meta:\n        author = \"Elastic Security\"\n        id = \"9c64f016-0fd9-41bf-8916-cdf3a35efdd6\"\n        fingerprint = \"af28cc97eed328f3b2b0181784545e41a521e9dfff09a504177cb56929606b84\"\n        creation_date = \"2023-07-27\"\n        last_modified = \"2024-02-13\"\n        threat_name = \"Linux.Ransomware.Monti\"\n        reference_sample = \"ad8d1b28405d9aebae6f42db1a09daec471bf342e9e0a10ab4e0a258a7fa8713\"\n        severity = 100\n        arch_context = \"x86\"\n        scan_context = \"file, memory\"\n        license = \"Elastic License v2\"\n        os = \"linux\"\n    strings:\n        $a1 = \"[%s] Flag doesn't equal MONTI.\"\n        $a2 = \"--vmkill Whether to kill the virtual machine\"\n        $a3 = \"MONTI strain.\"\n        $a4 = \"http://monti\"\n    condition:\n        2 of them\n}","sha256":"b14b65892708c9d56cb20684e67e84d18b44edd5f898baddb3cc0e0893060bb3","byte_size":805,"updated_at":"2026-06-24 05:16:03"}]}