rule Shard_ransomware_1 {
    meta:
        description = "Detects Shard ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "2d7a8830af3d0f82bd28ef3ecff4ee817e54f57db3e686ae787f0b9343359b16"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $s1 = ".onion" nocase
        $h2 = { E2 D1 0B 8F 08 AD DA C8 FD 7 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}

rule Shard_ransomware_2 {
    meta:
        description = "Detects Shard ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "d0c73749c050dc6ddc7481453ded5573880e7082a45e2fca36b9df90df79ed94"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $r1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h2 = { F5 2F F0 8A 34 59 E7 13 2F 27 5A 36 34 CC 3 }
        $h3 = { 7F 51 0D E5 02 E6 A4 BB FC C3 D2 5 }
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s5 = "::::" nocase
        $h6 = { 3B 2A C5 54 D0 49 CC 1A D2 48 81 3F }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}