rule Bastion_ransomware_1 {
    meta:
        description = "Detects Bastion ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "1f28fb7f078af90afb9dbb67ce5a38de825f79446c50d986648fdb8bdd95c580"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $h1 = { 8C BD 48 C3 F1 5C 7D 90 68 FB 77 D3 0F 55 }
        $s2 = "YOUR FILES" nocase
        $s3 = "ENCRYPTED" nocase
        $s4 = "!!!" nocase
        $r5 = /[A-Za-z0-9]{56}\.onion/
        $s6 = "RSA-2048" nocase
        $h7 = { 4A 64 5B AF CF 00 4C 70 24 59 B4 B6 F5 A2 50 4F 6A 87 2 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule Bastion_ransomware_2 {
    meta:
        description = "Detects Bastion ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "cc14c681902778d58ae104b2e79bcf1ac86cd5ad13aec9d0ba64972eefa1066c"

    strings:
        $h0 = { 35 6A 70 21 87 F3 94 10 0D 35 1A 4F 52 5B AD 00 BF AB A8 9D }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s3 = "RECOVER" nocase
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r5 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule Bastion_ransomware_3 {
    meta:
        description = "Detects Bastion ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "68d1f24ea73d412acc364cb5d24f89ce5804fe28b00c969ee651e079dfd14e01"

    strings:
        $h0 = { 4D FB 12 50 46 BA 7D 48 2 }
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $s3 = "AES-256" nocase
        $s4 = "!!!" nocase
        $h5 = { 8F DF 2E 88 65 09 8D BE 13 40 C4 4F 1B 6D 22 4 }
        $r6 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}