rule Crystal_ransomware_1 {
    meta:
        description = "Detects Crystal ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "97fd6ffed6c00c7805a5f2505eca0bf742ce29a4d9af54ec00595745bfd4c47d"

    strings:
        $r0 = /README\..{3,10}/i
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = "DECRYPT" nocase
        $h3 = { 5C D3 A2 BB F6 21 1A B9 10 1 }
        $s4 = "::::" nocase
        $h5 = { A5 C7 6D F5 DF 3C DC F0 30 A4 79 59 66 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}