rule BlackSuit_ransomware_1 {
    meta:
        description = "Detects BlackSuit ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "dddc0cfbc63637c4da68cc9d8f1779c6a71bb285201c12b0862620570af4a93c"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h1 = { 65 B7 E1 EA 29 04 C0 BC F5 B0 4 }
        $s2 = "ChaCha20" nocase
        $h3 = { DF F3 55 0F DC 15 AD D8 08 34 47 CE 52 9E 79 2A 4E 51 3C 5C }
        $h4 = { E0 B8 CA 5B C3 52 52 F2 }
        $h5 = { 71 DA 4B 6B F2 08 98 A7 7F A8 C7 42 4A 4C 50 B2 }
        $h6 = { B9 D7 8E 68 E9 8D 33 63 9F 6E DB 30 1D 6D 25 76 D0 A3 82 B6 C7 85 0E }
        $s7 = ".blacksuit" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule BlackSuit_ransomware_2 {
    meta:
        description = "Detects BlackSuit ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "94fcded76a926b64fd25f78eac4aeca26e96da267377efe4f04c1edc0b57468c"

    strings:
        $s0 = "TOX:" nocase
        $r1 = /README\..{3,10}/i
        $r2 = /README\..{3,10}/i
        $s3 = "TOX:" nocase
        $r4 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule BlackSuit_ransomware_3 {
    meta:
        description = "Detects BlackSuit ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "2e64a5def8f7d91e21a71fe2930a08725fd683960c99cd9acc58af715976e706"

    strings:
        $h0 = { CF 0C 7D 13 99 5E E1 1B 15 74 D2 16 60 C5 23 09 }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $h2 = { 8F 0D ED 14 84 BA 80 5F 64 CD BB 49 E9 61 43 2C 24 }
        $h3 = { B5 06 D4 D5 E8 7E 14 0D 9E 97 38 }
        $s4 = "!!!" nocase
        $s5 = "::::" nocase
        $r6 = /[A-Za-z0-9]{56}\.onion/
        $h7 = { F3 75 57 ED 5D 8D 44 F0 DA 49 92 2B 9A C0 4 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}