rule Rigel_ransomware_1 {
    meta:
        description = "Detects Rigel ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b7ca41557c11131e17ce2f406ef876e47b619e7bda3d8c95b5ea290bc311a23d"

    strings:
        $r0 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r1 = /README\..{3,10}/i
        $r2 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule Rigel_ransomware_2 {
    meta:
        description = "Detects Rigel ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "f0b6f98e9e0548ff47ff55d3f52e44c76a5dee9d96e8941a2208c46acd1f8e43"

    strings:
        $h0 = { 3E FB FE 3A 88 7C F2 99 D5 1E 07 73 03 23 3C 2D 82 8C 2F 67 E }
        $s1 = "RSA-2048" nocase
        $s2 = "ChaCha20" nocase
        $h3 = { 48 4A 48 2D A0 EB 86 C7 53 36 28 AA 4C 34 CF 9D B }
        $h4 = { 27 41 09 9E 93 6D 01 63 4D D6 10 B }
        $s5 = ".onion" nocase
        $s6 = "Do not modify" nocase
        $r7 = /[A-Za-z0-9]{56}\.onion/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}