rule FortuneBlack_ransomware_1 {
    meta:
        description = "Detects FortuneBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "466fab7ba497005c5e65be0b5b4c0ecf056bcecb452e85092d159e1d3044f40a"

    strings:
        $s0 = "!!!" nocase
        $s1 = "Do not rename" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule FortuneBlack_ransomware_2 {
    meta:
        description = "Detects FortuneBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "fab45d809e627210b2a1b1a60518b5257998dbe0f6cebd73ac2d6b96179980b7"

    strings:
        $h0 = { 7D 60 6D E9 0E 4D CB 68 F5 41 1B A6 3F BE 1C 1 }
        $s1 = "Do not rename" nocase
        $s2 = "::::" nocase
        $r3 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule FortuneBlack_ransomware_3 {
    meta:
        description = "Detects FortuneBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "70801891b6faa7f2495e5e8c11b6eab04a455f7c51df78f7f2f05e9f76aa9d93"

    strings:
        $s0 = "ENCRYPTED" nocase
        $s1 = "ChaCha20" nocase
        $h2 = { F0 A4 FC E6 94 63 E1 AA D8 8F A5 D3 DB 08 F8 BC 62 42 D5 8C }
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h4 = { CC BF C6 90 F5 8F CA 01 F5 AE 6E F6 76 8D DA 1C DC 7 }
        $s5 = "RECOVER" nocase
        $r6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s7 = "AES-256" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}