rule FrostBlack_ransomware_1 {
    meta:
        description = "Detects FrostBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "4ebf74e7c604c298dc5a3831a6cda6d458c69f16cbaab68f514ac3be23153a7d"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $s1 = "Do not modify" nocase
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $s3 = "DECRYPT" nocase
        $s4 = "RSA-2048" nocase
        $h5 = { 61 A6 90 72 0C F9 AF 14 1E C5 97 8D AC 0F 0F 83 82 9C E7 E6 }
        $r6 = /README\..{3,10}/i
        $s7 = "ChaCha20" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule FrostBlack_ransomware_2 {
    meta:
        description = "Detects FrostBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "5fc7ffcf9aa3857eec864427295940c11e1a2c22638e85f6a24fcafca66198e4"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $h1 = { 12 CF EA 48 5B D7 25 25 D1 30 38 32 E9 2C 10 86 F1 8F A }
        $s2 = "Do not rename" nocase
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r4 = /[A-Za-z0-9]{56}\.onion/
        $h5 = { B7 D8 B7 72 C8 65 6B D8 BA 4A E7 AC DC 4F 70 8 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule FrostBlack_ransomware_3 {
    meta:
        description = "Detects FrostBlack ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "3969eaa953f3d222291997bb0eace54cc104c6ae5c4ffc56607094802b2f6653"

    strings:
        $h0 = { 09 21 25 E4 36 32 DE FE 06 75 23 4 }
        $h1 = { 6C E0 BE 21 91 ED 0A D2 9D 03 89 70 BD 08 4 }
        $s2 = "README" nocase
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}