rule Midnight_ransomware_1 {
    meta:
        description = "Detects Midnight ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "471a20f04108df9745472463dcfafb281448cb69c9687ecf2f0563bbef82a74e"

    strings:
        $s0 = "Do not modify" nocase
        $s1 = ".onion" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Midnight_ransomware_2 {
    meta:
        description = "Detects Midnight ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "c93a01d6afe2c8145d59a604094022f9fd226e3a2d01f4c2ddd78fdb35b5493c"

    strings:
        $h0 = { A4 4E 45 56 15 E8 8A C9 29 19 5C B4 }
        $s1 = "RECOVER" nocase
        $h2 = { 7E 3B C9 A7 CF 83 1B E3 2 }
        $s3 = "ENCRYPTED" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Midnight_ransomware_3 {
    meta:
        description = "Detects Midnight ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b744b99feccb165b517e2bf84aa23efd981adf66cf49b8a67aeb0ee371e1bc8d"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s1 = "::::" nocase
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h3 = { B8 72 5F F4 BF 0E FA B1 A5 9D FA FB 37 A1 36 D0 B4 60 52 }
        $r4 = /README\..{3,10}/i
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h6 = { 89 AC 18 07 04 3A 28 FB C5 9C 39 4A D0 C6 25 C6 91 0C 4B }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}