rule BlackByte_ransomware_1 {
    meta:
        description = "Detects BlackByte ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "7275b3b67333387f6e3537d1d75d6bfc2127e90ecdea17f6c350e16a9c4a9cda"

    strings:
        $s0 = "YOUR FILES" nocase
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $r2 = /README\..{3,10}/i
        $h3 = { 55 AF E7 A8 42 77 2B 47 63 0F 3A 50 78 A0 71 CF 2E 3D 1 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule BlackByte_ransomware_2 {
    meta:
        description = "Detects BlackByte ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "02145b58dd66045fd28c778bb4bdff0e3f3609a1a4db3598fac09424509f8fbc"

    strings:
        $s0 = "BITCOIN" nocase
        $h1 = { F4 76 DB 55 FA 50 CA 28 12 EC 38 5B 2C 39 9F 59 F7 8C }
        $s2 = "BITCOIN" nocase
        $h3 = { 85 00 B3 1B 62 A5 2A 75 49 1B C7 84 68 FE 03 CB EE 44 CD 8E B3 05 A6 8 }
        $s4 = "AES-256" nocase
        $h5 = { 46 D1 CC 64 ED B5 69 C5 53 44 F1 }
        $h6 = { 25 77 B4 93 9A 5E 60 91 1B F1 B1 F3 47 54 CD DA 41 42 BD A0 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}