diff --git a/detection-rules/body_extortion.yml b/detection-rules/body_extortion.yml
index e7453208de3..a37e4abde09 100644
--- a/detection-rules/body_extortion.yml
+++ b/detection-rules/body_extortion.yml
@@ -26,10 +26,10 @@ source: |
       ),
       regex.icontains(body.current_thread.text, "pervert|perversion|masturbat"),
       // a timeframe to pay
-      regex.icontains(body.current_thread.text, '\d\d hours', '(?:one|two|three) days?'),
+      regex.icontains(body.current_thread.text, '\d\d hours', '(?:one|two|three|\d) days?'),
       // a promise from the actor
       regex.icontains(body.current_thread.text,
-                        'permanently delete|destroy (?:\w+\s*){0,4} (?:data|evidence|videos?)'
+                        'permanently delete|(remove|destroy) (?:\w+\s*){0,4} (?:data|evidence|videos?)'
       ),
       // a threat from the actor
       regex.icontains(body.current_thread.text,