rule BoltCrew_ransomware_1 {
    meta:
        description = "Detects BoltCrew ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "7e75abfc9cf89368245a2eb27319dfd353ec8aa184ac26c12ce761663d705918"

    strings:
        $h0 = { C6 0D 56 18 14 62 55 23 90 6C FB AA 46 93 D4 D4 2D 80 87 8 }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h3 = { 8D EB 6B 8A 92 10 F3 71 37 08 5C FD AE CB B6 A2 92 FF A }
        $r4 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule BoltCrew_ransomware_2 {
    meta:
        description = "Detects BoltCrew ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "5be46c56a3f96578d8758a41875b5127acd715bae014f30fba4163a34805fbb8"

    strings:
        $h0 = { 62 12 6B 69 D4 E8 90 51 DC 2 }
        $h1 = { D0 71 6A 45 2D 41 23 51 2F 21 3B 88 07 08 18 DC 9E 6C 3E 06 D9 82 E3 }
        $h2 = { 4A A3 ED D9 1F A6 37 6F F8 E4 28 91 D }
        $h3 = { 46 D2 DA DD E4 DD 32 33 E6 26 8C 56 9D 8F 40 47 5 }
        $s4 = "YOUR FILES" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}