rule OpalBit_ransomware_1 {
    meta:
        description = "Detects OpalBit ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b4825eb94055a9b779f016b6f14ff491954eff1d49cf0402803df2135f43a4ce"

    strings:
        $r0 = /README\..{3,10}/i
        $r1 = /README\..{3,10}/i
        $s2 = "OpalBit" nocase
        $h3 = { A6 82 92 7F 06 5A 5A 49 C6 0C CE 24 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule OpalBit_ransomware_2 {
    meta:
        description = "Detects OpalBit ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "770e44d09c8a84cd265a6a865d96742bcc1bb3d33748a278c917a53ecc6ae858"

    strings:
        $h0 = { 6D 2A 54 7D 35 7E F4 30 08 }
        $s1 = "::::" nocase
        $s2 = "TOX:" nocase
        $h3 = { 6E 00 8F 0F BA 53 F9 A6 19 62 7C B8 93 4 }
        $r4 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

rule OpalBit_ransomware_3 {
    meta:
        description = "Detects OpalBit ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "7f5436cae96dfad2dbbf1932a7ec6aac08436c51789c8d6c35b99b5b6101ec29"

    strings:
        $h0 = { 21 60 8D 64 99 2B 7E FD }
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r2 = /README\..{3,10}/i
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s4 = "AES-256" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}