rule SyndicateSquad_ransomware_1 {
    meta:
        description = "Detects SyndicateSquad ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "0e8f259a2c7cd69b06dcbac1080c45f2f6bba2d96f110cbc5d69ec0669da940f"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $r1 = /[A-Za-z0-9]{56}\.onion/
        $s2 = "ENCRYPTED" nocase
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $h4 = { 5D FD 9D 30 FD B2 51 87 67 01 15 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

rule SyndicateSquad_ransomware_2 {
    meta:
        description = "Detects SyndicateSquad ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "22072133a6686352272913785174a0ad9053f89e494966f1480ed50af7eeb216"

    strings:
        $r0 = /README\..{3,10}/i
        $s1 = ".syndicatesquad" nocase
        $h2 = { 8C 47 8B FE BA B3 62 55 2B A1 }
        $s3 = "YOUR FILES" nocase
        $s4 = "ENCRYPTED" nocase
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $s6 = "RECOVER" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}