rule BlackCat_ALPHV_Ransomware {
    meta:
        description = "Detects BlackCat/ALPHV ransomware"
        author = "Security Research"
    strings:
        $s1 = "RECOVER-FILES" ascii
        $s2 = "alphv" ascii nocase
        $s3 = "access-key" ascii
        $rust = ".rs" ascii
    condition:
        uint16(0) == 0x5A4D and 2 of them
}

rule BlackCat_ALPHV_ransomware_1 {
    meta:
        description = "Detects BlackCat/ALPHV ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b9d9bdb6cb9c5de3a6de716059c06c07f65adc248969fa07b704278157df3724"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $s1 = "BlackCat/ALPHV" nocase
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $h4 = { 20 2E 7F DE 56 92 1B DA E5 24 C8 CC 42 }
        $h5 = { 71 10 D3 10 E1 38 20 C3 94 F1 6C 34 10 D8 D5 61 C6 B }
        $s6 = ".onion" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}