rule Cassandra_ransomware_1 {
    meta:
        description = "Detects Cassandra ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "309f4e8f8b69721c13c3e62474d668e13e2f8d309a55192505831e05abb7154b"

    strings:
        $s0 = "AES-256" nocase
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r2 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Cassandra_ransomware_2 {
    meta:
        description = "Detects Cassandra ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "2a3d8450a136377a0277db337aed939d71a52c043422df9b87e69c07ca6e30dc"

    strings:
        $s0 = "!!!" nocase
        $h1 = { 18 CB 6D 51 CA 29 77 A5 70 5A 10 98 27 E4 3 }
        $h2 = { 12 98 A9 DC 7B 9B A5 0C D8 ED 5F D2 D1 CB BA 83 D8 41 BD 67 7F 2 }
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r4 = /[A-Za-z0-9]{56}\.onion/
        $s5 = "RSA-2048" nocase
        $s6 = "ChaCha20" nocase
        $s7 = "!!!" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}