rule SingularityWare_ransomware_1 {
    meta:
        description = "Detects SingularityWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "6387d159e226d86283ba28a3663c29638e367a53560f87065e4545429746b4d9"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $s1 = ".singularityware" nocase
        $r2 = /README\..{3,10}/i
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r4 = /[A-Za-z0-9]{56}\.onion/
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s6 = ".singularityware" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule SingularityWare_ransomware_2 {
    meta:
        description = "Detects SingularityWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "e99152b882d9f15137c9defa02ef1bb7302e695fb01523fbb84cf40633ca8ddd"

    strings:
        $s0 = "RECOVER" nocase
        $h1 = { AF 05 6D 45 27 A7 7C ED 7C FE 63 80 18 FD 02 D5 BF 66 00 01 7A 4E 57 18 }
        $s2 = "README" nocase
        $h3 = { F8 5A 67 02 54 5D EC 2F 80 B7 97 AB 09 E8 C2 B0 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule SingularityWare_ransomware_3 {
    meta:
        description = "Detects SingularityWare ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "4e92d72e37d8add715243a3c08d2fc16e307be1ae1865b421526249a6dddc371"

    strings:
        $s0 = "AES-256" nocase
        $r1 = /README\..{3,10}/i
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /README\..{3,10}/i
        $r4 = /README\..{3,10}/i
        $r5 = /[A-Za-z0-9]{56}\.onion/
        $s6 = "RSA-2048" nocase
        $h7 = { BE F3 31 95 E8 42 5D 7F 88 2C }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}