采用举报方式倒逼甲方进行勒索的blackCat

rule RansomWare_BlackCat_Win{    meta:        description = "BlackCat group"        author = "virk"        thread_level = 10        in_the_wild = true    strings:    $a = {8B 0A 39 C1 77 0E 8B 7A 04 03 4F 08 39 C8 0F 82 ?? 00 00 00 83 C3 01 83 C2 14 39 F3 75 E2}    $b = {8B 7E 04 8B 16 83 C6 08 8B 9F 00 00 40 00 8D 87 00 00 40 00 01 D3 E8 ?? ?? ?? ?? 81 FE ?? ?? ?? ?? 89 9F 00 00 40 00 72 D7}    $c = {8B 3B 83 C6 F8 31 C7 89 7D F0 8B 7B 04 83 C3 08 31 CF 0B 7D F0 75 E5}    $d = {8B 56 04 8B 75 F0 8B 8B 4C 01 00 00 8B 83 48 01 00 00 81 C7 B8 FE FF FF 8B 36 31 CA 31 C6 09 D6 8B 75 F0 8D 93 48 01 00 00 89 D3 75 CB}    $e = {0F B6 C3 4D 8B C3 BA 01 00 00 00 83 E0 07 49 C1 E8 03 FE C3 8A C8 49 FF C3 D2 E2 42 08 54 04 50 41 3A DA 76 DB}    $f = {89 D6 B3 03 E9}    $g = {81 C6 88 89 DA 40 01 F2 75 E6}    $h = {3C 03 0F 44 C1 84 C0 74 1F 3C 01 75 22}    $i = {83 E2 07 C1 E2 12 83 E1 3F 83 E7 3F 83 E0 3F C1 E1 0C C1 E7 06}    $j = {83 C4 0C 0F 0B}    $k = {89 CE 89 C8 83 CE 02 F0 0F B1 32}    $l = {80 C1 17 80 F1 14 8B 04 24}    $m = {73 65 72 73 5C 72 75 6E 6E 65 72 61 64 6D 69 6E}    condition:        (uint16(0) == 0x5A4D) and  (uint32(uint32(0x3C)) == 0x00004550) and ($a and $b and $f) or ($c and $d) or $e or $g or ($h and $i) or ($j and ($k or $l or $m))}
rule RansomWare_BlackCat_Linux{    meta:        description = "BlackCat group"        author = "virk"        thread_level = 10        in_the_wild = true    strings:    $a = {48 89 F1 48 C1 E1 04 48 89 1C 08 4C 89 6C 08 08 48 83 C6 01 48 89 ?? ?? ?? ?? ?? ?? 48 83 C5 10 49 83 C4 10 4D 39 FC 74 5E}    $b = {48 83 FE 05 B8 04 00 00 00 48 0F 43 C6 BA 10 00 00 00 31 DB 48 F7 E2 0F 91 C3 48 C1 E3 03 49 89 C8 49 C1 E0 04}    $c = {EB 41 F2 0F 10 42 08 31 C0 BA 19 00 00 00 E9 F7 00 00 00 8B 42 08 BA 1A 00 00 00 EB 26 8B 42 08 BA 1B 00 00 00 EB 1C 8B 42 08 BA 1C 00 00 00 EB 12 8B 42 08 BA 1D 00 00 00 EB 08 8B 42 08 BA 1E 00 00 00}    $d = {48 83 C5 01 8D 48 FF F6 D0 20 C8 C0 E8 07 0F B6 F8}    $e = {81 FF 00 00 11 00 0F 84 1A 01 00 00 B8 01 00 00 00 81 FF 80 00 00 00 0F 82 EB FE FF FF B8 02 00 00 00 81 FF 00 08 00 00 0F 82 DA FE FF FF 81 FF 00 00 01 00 B8 04 00 00 00 48 83 D8 00 E9}    condition:         (uint32(0) == 0x464C457F) and ($a and $b) or $c or $d or $e}