rule Garnet_ransomware_1 {
    meta:
        description = "Detects Garnet ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "961b310b59ed8f50d1c5c97d359a2a65d13432a47a5f6e9bd85a183d8dd99c01"

    strings:
        $h0 = { B8 72 42 90 90 B8 39 74 19 B9 D5 A5 8C D0 DF B9 C4 C2 B1 85 6A 16 C }
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = "RSA-2048" nocase
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $s4 = "AES-256" nocase
        $h5 = { EC 9C 8F C1 C2 47 FA 29 5D E5 A2 1B FD }
        $s6 = "Do not rename" nocase
        $h7 = { D2 F9 9F D5 9D B0 53 7D 38 64 D4 BE 9C 4C 09 8 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule Garnet_ransomware_2 {
    meta:
        description = "Detects Garnet ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f0808cdf722f2da5671142d662b5045dc3c53a58a3b07f9423b0adb2cd68a4ae"

    strings:
        $h0 = { 0D 75 B9 C0 DE 0D E6 2B 03 }
        $h1 = { 2B 96 E5 EE D0 97 48 39 E7 58 C9 F7 }
        $h2 = { F0 DA F8 8F 15 FF AF DF 8E 30 2F 44 C3 }
        $s3 = "AES-256" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}