rule Cicada_ransomware_1 {
    meta:
        description = "Detects Cicada ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "796ed99bc9ffdbc03dad84559d492928f64dbb239739c90504edc2631410412e"

    strings:
        $h0 = { 59 2E B9 71 23 16 E8 DB A8 CF 97 DA C4 ED 39 C2 }
        $h1 = { 9B 6A 18 54 4B B2 1D A4 F1 C5 A6 AC 7E 43 69 C8 }
        $r2 = /README\..{3,10}/i
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule Cicada_ransomware_2 {
    meta:
        description = "Detects Cicada ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a3d473e96a91ec612bfd40d38f59fb0ee1fd251bc1fdccc3eec40ff47eaf750b"

    strings:
        $s0 = "DECRYPT" nocase
        $s1 = "::::" nocase
        $r2 = /README\..{3,10}/i
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $r4 = /[A-Za-z0-9]{56}\.onion/
        $h5 = { DB 7C A0 B4 8D B5 D6 E8 E8 F6 90 1B 51 95 C4 52 6B FC E7 1 }
        $r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s7 = "ChaCha20" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Cicada_ransomware_3 {
    meta:
        description = "Detects Cicada ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "9e6e32119b30738471c2b3ca10cef7866f18acf3612f2e1830d626eac467638d"

    strings:
        $s0 = "README" nocase
        $h1 = { 98 76 D7 5F 42 C3 46 1F 1F EB FB EC 8 }
        $h2 = { 04 79 5E FE A4 A5 A8 11 B4 06 09 A2 43 8D BF 45 C7 65 12 0E 8A 14 95 BF }
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $s4 = "BITCOIN" nocase
        $s5 = "!!!" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}