forensicnomicon 0.11.0

//! Ransomware IOC constants — ransom note filenames across major families.
//!
//! [`RANSOM_NOTE_FILENAMES`] is the canonical reference list used by every
//! detection layer (EVTX/Sysmon file-creation, PE string scanning, filesystem
//! hunting).  Any layer that needs to ask "is this file a ransom note?" must
//! import from here rather than maintain its own local copy.

// ── Ransom note filenames ──────────────────────────────────────────────────────
//
// Organised by ransomware family, with the most prevalent families first.
// All filenames are matched case-insensitively at runtime.
//
// Sources: MalwareBazaar, ID Ransomware, ANY.RUN, Sophos Rapid Response,
// Recorded Future, Group-IB, Mandiant, Palo Alto Unit42, CrowdStrike, CISA
// advisories, and primary incident-response reporting (2013–2025).
//
// MAINTENANCE: Add new families below the last entry in alphabetical order.
// Do NOT add partial substrings — every entry must be a complete filename
// (basename only, no path prefix).

/// Complete filenames dropped by ransomware as ransom notes.
///
/// Match case-insensitively against a file's basename.  A match indicates a
/// ransom note was created or is present on disk (T1486 — Data Encrypted for
/// Impact; T1491.001 — Defacement: Internal).
pub const RANSOM_NOTE_FILENAMES: &[&str] = &[
    // ── STOP/DJVU — largest consumer victim count (2018–present) ──────────────
    "_readme.txt",
    // ── LockBit 2.0 / 3.0 / Green (2021–present) ─────────────────────────────
    "Restore-My-Files.txt",
    "LockBit_README.txt",
    "LockBit-README.txt",
    "LockBit3.0.hta",
    "LockBit_Green_README.txt",
    "!!!READ_ME_EDWARD.txt",
    // ── BlackCat / ALPHV (2021–present) ──────────────────────────────────────
    "RECOVER-FILES.txt",
    "GET-IT-BACK-FILES.txt",
    "HOW_TO_GET_YOUR_FILES_BACK.txt",
    // ── RansomHub (2024–present; ex-ALPHV affiliates) ────────────────────────
    "README_RANSOMHUB.txt",
    "RANSOMHUB.txt",
    // ── Conti (2020–2022) ────────────────────────────────────────────────────
    "CONTI_README.txt",
    // ── Hive (2021–2023; FBI takedown) ───────────────────────────────────────
    "HOW_TO_DECRYPT.txt",
    "hive.README.txt",
    // ── REvil / Sodinokibi (2019–2022) ───────────────────────────────────────
    "HOW-DECRYPT.txt",
    "Decryption README.txt",
    // ── GandCrab (2018–2019; predecessor to REvil) ───────────────────────────
    "GDCB-DECRYPT.txt",
    "KRAB-DECRYPT.txt",
    "GandCrab.html",
    // ── Cl0p / Clop (2019–present) ────────────────────────────────────────────
    "ClopReadMe.txt",
    "!Cl0pReadMe.txt",
    "C!0p.txt",
    // ── Ryuk (2018–2021) ──────────────────────────────────────────────────────
    "RyukReadMe.txt",
    "RYUK_README.txt",
    // ── DarkSide / BlackMatter (2020–2021) ───────────────────────────────────
    "DarkSide.README.txt",
    // ── Phobos (2019–present) ─────────────────────────────────────────────────
    "info.hta",
    "Phobos.README.txt",
    // ── MedusaLocker (2019–present) ──────────────────────────────────────────
    "HOW_TO_RECOVER_DATA.html",
    "How_To_Recover_Encrypted_Files.html",
    "Recovery_Instructions.html",
    "HOW_TO_RECOVER_ENCRYPTED_DATA.html",
    // ── Maze (2019–2020) ──────────────────────────────────────────────────────
    "DECRYPT-FILES.txt",
    "MAZE-DECRYPT.txt",
    "DECRYPT-FILES.html",
    // ── Egregor (2020–2021; Maze successor) ──────────────────────────────────
    // RECOVER-FILES.txt already listed under BlackCat

    // ── DoppelPaymer (2019–2022) ──────────────────────────────────────────────
    "readme2unlock.txt",
    "DOPPEL-README.txt",
    // ── WannaCry (2017; EternalBlue) ──────────────────────────────────────────
    "@Please_Read_Me@.txt",
    "@WanaDecryptor@.txt",
    "!WannaCry!.txt",
    // ── Matrix (2016–present) ─────────────────────────────────────────────────
    "#README_MATRIX#.rtf",
    "!readme_matrix_decryption.rtf",
    "#Decrypt_files_readme#.rtf",
    // ── Dharma / CrySiS (2016–present) ───────────────────────────────────────
    "FILES ENCRYPTED.txt",
    "RETURN FILES.txt",
    "DECRYPT_NOTE.txt",
    // ── Hermes / Ryuk ancestor (2017–2018) ───────────────────────────────────
    "DECRYPT_INFORMATION.html",
    "HERMES_README.txt",
    // ── SamSam (2015–2018) ────────────────────────────────────────────────────
    "HELP_DECRYPT_YOUR_FILES.html",
    "HELP_TO_DECRYPT.html",
    // ── Locky (2016–2017) ─────────────────────────────────────────────────────
    "_Locky_recover_instructions.txt",
    "HELP_instructions.html",
    // ── CryptoLocker (2013–2014; first major modern ransomware) ──────────────
    "DECRYPT_INSTRUCTION.html",
    "HOW_TO_RESTORE_FILES.txt",
    "CryptoLocker.txt",
    "CryptoLocker.html",
    // ── TeslaCrypt (2015–2016) ────────────────────────────────────────────────
    "HELP_TO_DECRYPT_YOUR_FILES.txt",
    "HOWTO_RESTORE_FILES.txt",
    // ── CTB-Locker (2014–2017) ────────────────────────────────────────────────
    "!Decrypt-All-Files.txt",
    // ── Shade / Troldesh (2014–2019) ──────────────────────────────────────────
    "README1.txt",
    "README_crypted.txt",
    // ── AvosLocker (2021–present) ─────────────────────────────────────────────
    "GET_YOUR_FILES_BACK.txt",
    "AvosLocker.txt",
    // ── BlackBasta (2022–present) ─────────────────────────────────────────────
    "Instructions.txt",
    // ── Lorenz (2021–present) ─────────────────────────────────────────────────
    "HELP_SECURITY_EVENT.html",
    "HELP_SECURITY_EVENT.txt",
    // ── Quantum (2021–present) ────────────────────────────────────────────────
    "README_TO_DECRYPT.html",
    "README-QUANTUM.txt",
    // ── BianLian (2022–present) ───────────────────────────────────────────────
    "Look at this instruction.txt",
    "BianLian.txt",
    // ── Royal (2022–2024) ─────────────────────────────────────────────────────
    "README.TXT",
    "ROYAL_README.txt",
    // ── Play (2022–present) ───────────────────────────────────────────────────
    "ReadMe.txt",
    // ── 8Base (2022–present; Phobos variant) ─────────────────────────────────
    "IMPORTANT NOTICE.txt",
    "How To Restore Your Files.txt",
    // ── Akira (2023–present) ──────────────────────────────────────────────────
    "akira_readme.txt",
    "AKIRA_RECOVERY.txt",
    // ── Rhysida (2023–present) ────────────────────────────────────────────────
    "CriticalBreachDetected.pdf",
    // ── INC Ransom (2023–present) ─────────────────────────────────────────────
    "INC-README.txt",
    "INC_README.txt",
    // ── Hunters International (2023–present) ──────────────────────────────────
    "Contact_for_Unlock.txt",
    // ── Qilin / Agenda (2022–present) ─────────────────────────────────────────
    "README-IMPORTANT.txt",
    "QILIN-README.txt",
    // ── DragonForce (2023–present) ────────────────────────────────────────────
    "DragonForce_README.txt",
    // ── BlackSuit (2023–present; Royal successor) ─────────────────────────────
    "README.BlackSuit.txt",
    "BlackSuit_README.txt",
    // ── Vice Society (2021–2023) ──────────────────────────────────────────────
    "AllYFilesAE.txt",
    // ── Sabbath / Eruption (2021) ─────────────────────────────────────────────
    "RESTORE_FILES.txt",
    // ── Karma (2021) ──────────────────────────────────────────────────────────
    "KARMA-README.txt",
    // ── Babuk (2021; source leaked) — "How To Restore Your Files.txt" (8Base) ─

    // ── Yanluowang (2021–2022) ────────────────────────────────────────────────
    "Yanluowang_readme.txt",
    // ── Diavol (2021; Trickbot group) ────────────────────────────────────────
    "README_FOR_DECRYPT.txt",
    // ── Ragnar Locker (2020–2023; Europol takedown) ───────────────────────────
    "RAGNAR_LOCKER_README.txt",
    // ── FiveHands / HelloKitty (2021) ─────────────────────────────────────────
    "read_me_unlock.txt",
    "FIVEHANDS.README.txt",
    // ── Trigona (2022–2023; law enforcement action) ───────────────────────────
    "_how_to_decrypt.txt",
    "how_to_decrypt.txt",
    // ── Nevada (2022–present) ─────────────────────────────────────────────────
    "NEVADA_README.txt",
    // ── Zeppelin (2019–2022; FBI advisory) ───────────────────────────────────
    "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
    "Zeppelin.txt",
    // ── PYSA / Mespinoza (2019–2022) ─────────────────────────────────────────
    "Pysa.README.txt",
    // ── Monti (2022–present; Conti derivative) ────────────────────────────────
    "Monti_README.txt",
    // ── NoEscape (2023) ───────────────────────────────────────────────────────
    "HOW-TO-DECRYPT.txt",
    // ── ESXiArgs (2023; ESXi mass exploitation) ───────────────────────────────
    "HOW_TO_RESTORE_YOUR_FILES.txt",
    // ── CrossLock (2023) ──────────────────────────────────────────────────────
    "CrossLock_readme.txt",
    // ── RAGroup (2023–present) ────────────────────────────────────────────────
    "RA_Help.txt",
    // ── MalasLocker (2023) ────────────────────────────────────────────────────
    "instructions.txt",
    // ── Cuba (2019–present; CISA advisory) ────────────────────────────────────
    "!! CUBA !!.txt",
    // ── Nokoyawa (2022–2023) ──────────────────────────────────────────────────
    "NOKOYAWA_readme.txt",
    // ── Rorschach / BabLock (2023) ────────────────────────────────────────────
    "Rorschach_Note.txt",
    // ── Cylance (2019–present) ────────────────────────────────────────────────
    "!HowToDecrypt.txt",
    // ── Avaddon (2020–2021; retired) ─────────────────────────────────────────
    "avaddon_readme.html",
    // ── Prometheus (2021) ────────────────────────────────────────────────────
    "PROMETHEUS_README.txt",
    // ── Grief / PayOrGrief (2021; DoppelPaymer successor) ────────────────────
    "grief_readme.txt",
    // ── MountLocker (2020–2021) ───────────────────────────────────────────────
    "RecoveryManual.html",
    "!-MountLocker-recover_instructions.txt",
    // ── Thanos (2020–2021) ───────────────────────────────────────────────────
    "Restore_My_Files.txt",
    // ── NetWalker / Mailto (2019–2021; law enforcement action) ───────────────
    "!Readme.txt",
    "~readme.txt",
    // ── DearCry (2021; ProxyLogon exploitation) ───────────────────────────────
    "DearCry.txt",
    // ── Cheerscrypt (2022; ESXi) ──────────────────────────────────────────────
    "Read_Me.html",
    // ── AtomSilo (2021) ───────────────────────────────────────────────────────
    "ATOMIKSILO_README.txt",
    // ── Knight / Cyclops (2023–present) ───────────────────────────────────────
    "Knight_README.txt",
    // ── Pandora (2022–present) ────────────────────────────────────────────────
    "Pandora.txt",
    // ── Mindware (2022) ───────────────────────────────────────────────────────
    "MindWare.readme.txt",
    // ── QWCrypt / RedCurl / GOLD BLADE (2024–present) ────────────────────────
    // Group-IB and Palo Alto Unit42 incident reports; note dropped in the same
    // directory as the encrypted VHD/VHDX files.
    "FILES_ENCRYPTED.txt",
    "HOW-TO-DECRYPT-FILES.txt",
    // ── Generic / cross-family names (used by multiple unrelated families) ────
    // Listed last; high false-positive potential — rely on directory context.
    "readme.txt",
    "README.txt",
    "READ_ME.txt",
    "READ-ME.txt",
    "!readme.txt",
    "RESTORE_INSTRUCTIONS.txt",
    "DECRYPT_INSTRUCTION.txt",
    "HELP_DECRYPT.html",
    "HELP_DECRYPT.txt",
    "HELP_YOUR_FILES.txt",
    "IMPORTANT.txt",
    "IMPORTANT_README.txt",
    "YOUR_FILES_ARE_ENCRYPTED.txt",
    "HOW_RECOVER_FILES.txt",
    "DECRYPT_YOUR_FILES.html",
    "HOW_TO_UNLOCK.txt",
];

// ── Ransomware process kill / service stop constants ───────────────────────────
//
// Cross-validated against: LockBit 3.0 CISA AA23-075A (explicit kill list),
// leaked Conti and Babuk source code (kill-list arrays), and vendor IR reports
// (Akira/BlackCat/RansomHub/BlackBasta/BianLian/Medusa/Rhysida/Play).
// All basenames lowercased; compare case-insensitively at runtime.

/// AV/EDR/database/backup process names targeted by ransomware kill scripts.
///
/// Used with `RANSOMWARE_KILL_CLUSTER_THRESHOLD` — a cluster of ≥N kills from
/// this list within `RANSOMWARE_KILL_WINDOW_NS` is near-zero-FP for ransomware
/// staging (T1562.001 / T1489).  Single kills have medium FP risk.
pub const RANSOMWARE_KILL_PROCESSES: &[&str] = &[
    // SQL / database
    "sql.exe",
    "sqlserv.exe",
    "sqlbrowser.exe",
    "sqlwriter.exe",
    "sqlagent.exe",
    "sqlservr.exe",
    "oracle.exe",
    "ocssd.exe",
    "dbsnmp.exe",
    "dbeng50.exe",
    "mysqld.exe",
    "mysqld-nt.exe",
    "mysqld-opt.exe",
    "postgres.exe",
    // Office / productivity (locked open = can't encrypt)
    "excel.exe",
    "infopath.exe",
    "msaccess.exe",
    "mspub.exe",
    "onenote.exe",
    "outlook.exe",
    "powerpnt.exe",
    "winword.exe",
    "wordpad.exe",
    "notepad.exe",
    "thunderbird.exe",
    "thebat.exe",
    "tbirdconfig.exe",
    "steam.exe",
    "firefox.exe",
    // Veeam backup
    "veeam.exe",
    "veeamguestindexer.exe",
    "veeamtransportsvc.exe",
    "veeamdeploymentsvc.exe",
    "veeammountservice.exe",
    // Sophos AV
    "sophos.exe",
    "savadminservice.exe",
    "savservice.exe",
    "sedservice.exe",
    // Malwarebytes
    "mbamtray.exe",
    "mbam.exe",
    // Windows Defender (rarely succeeds but always attempted)
    "msmpeng.exe",
    "nissrv.exe",
    "securityhealthservice.exe",
    // SentinelOne
    "sentinelagent.exe",
    "sentinelhelperservice.exe",
    "sentinelservicehost.exe",
    // CrowdStrike
    "csfalconservice.exe",
    "crowdstrike.exe",
    // Elastic
    "elastic-agent.exe",
    // ESET
    "ekrn.exe",
    "egui.exe",
    // Avira
    "avgnt.exe",
    "avguard.exe",
    // Kaspersky
    "avp.exe",
    "kavfsslp.exe",
    "klnagent.exe",
    // McAfee
    "mfemms.exe",
    "masvc.exe",
    "macmnsvc.exe",
    "mcshield.exe",
    // Trend Micro
    "tmlisten.exe",
    "pccntmon.exe",
    "ntrtscan.exe",
    "tmccsf.exe",
    // Backup tools
    "backup.exe",
    "backupexecagentaccelerator.exe",
    "backupexecagentbrowser.exe",
    "backupexecdevicemediaservice.exe",
    "backupexecjobengine.exe",
    "backupexecmanagementservice.exe",
    "backupexecrpcservice.exe",
    "backupexecvssprovider.exe",
    "bedbg.exe",
    "benetns.exe",
    "beserver.exe",
    "pvlsvr.exe",
    "raw_agent_svc.exe",
    "cagservice.exe",
    // Accounting / ERP
    "sage.exe",
    "qbw32.exe",
    "qbdbmgr.exe",
    "qbdbmgrn.exe",
    "qbcfmonitorservice.exe",
    // Misc services
    "synctime.exe",
    "agntsvc.exe",
    "isqlplussvc.exe",
    "xfssvccon.exe",
    "mydesktopservice.exe",
    "mydesktopqos.exe",
    "ocautoupds.exe",
    "encsvc.exe",
    "ocomm.exe",
    "sqbcoreservice.exe",
    "ds_agent.exe",
    "zoolz.exe",
    // Web / app servers
    "httpd.exe",
    "nginx.exe",
    "node.exe",
    "java.exe",
    // Misc
    "hitmanpro.alert.exe",
    "googleupdate.exe",
];

/// Minimum number of kills from `RANSOMWARE_KILL_PROCESSES` within
/// `RANSOMWARE_KILL_WINDOW_NS` to constitute a high-confidence ransomware
/// process-termination cluster.
pub const RANSOMWARE_KILL_CLUSTER_THRESHOLD: usize = 5;

/// Sliding time window (nanoseconds) for clustering ransomware process kill events.
pub const RANSOMWARE_KILL_WINDOW_NS: i64 = 60_000_000_000; // 60 seconds

/// Canonical service names stopped by ransomware staging scripts.
///
/// Covers Veeam, SQL Server, Exchange, Commvault, BackupExec, Sophos, McAfee,
/// Kaspersky, and Malwarebytes — the services most commonly enumerated in
/// LockBit 3.0 (CISA AA23-075A), Conti, and Babuk kill scripts.
/// All lowercased; compare case-insensitively at runtime.
pub const RANSOMWARE_STOP_SERVICES: &[&str] = &[
    // VSS (all ransomware)
    "vss",
    // SQL Server
    "sqlserveragent",
    "mssqlserver",
    "sqlbrowser",
    "sqlwriter",
    "reportserver",
    "sqlanywhere",
    "sqladhlp",
    "sqltelemetry",
    "mssqlserveradhelper",
    "mssqlserveradhelper100",
    "mssqlserverolapservice",
    // Veeam backup (LockBit 3.0 CISA AA23-075A + Conti leak)
    "veeambackupsvc",
    "veeamcatalogsvc",
    "veeamtransportsvc",
    "veeammountsvc",
    "veeamdeploysvc",
    "veeamnfssvc",
    "veeamrestsvc",
    "veeamcloudsvc",
    "veeamdistributionsvc",
    "veeamenterprisemanagersvc",
    "veeamdeploymentservice",
    "veeambrokerssvc",
    // Commvault (explicitly cited in CISA AA23-075A for LockBit 3.0)
    "gxvss",
    "gxblr",
    "gxfwd",
    "gxcvd",
    "gxcimgr",
    // BackupExec
    "backupexecagentaccelerator",
    "backupexecagentbrowser",
    "backupexecdevicemediaservice",
    "backupexecjobengine",
    "backupexecmanagementservice",
    "backupexecrpcservice",
    "backupexecvssprovider",
    // Acronis
    "acrsch2svc",
    "acronisagent",
    // Sophos
    "sophosagent",
    "sophosautoupdateservice",
    "savadminservice",
    "savservice",
    "sophosclean",
    "sophoshealth",
    "sophosmcsagent",
    "sophosmcsclient",
    "sophosmessagerouter",
    "sophossafestore",
    "sophossystemprotectionservice",
    // Exchange
    "msexchangeis",
    "msexchangetransport",
    "msexchangeadtopology",
    "msexchangedelivery",
    "msexchangefrontendtransport",
    "msexchangerepl",
    "msexchangesa",
    "msexchangeservicehost",
    "msexchangees",
    "msexchangemta",
    "msexchangeantispamupdate",
    "msexchangefastsearch",
    "msexchangehm",
    "msexchangeum",
    "msexchangeumcr",
    // McAfee
    "mfemms",
    "mfefire",
    "mfevtp",
    "mcshield",
    "mctaskmanager",
    // Kaspersky
    "kavfs",
    "kavfsgt",
    "kavfsslp",
    "klnagent",
    // Malwarebytes
    "mbamservice",
    // QuickBooks
    "qbcfmonitorservice",
    "qbidpservice",
    "qbvss",
    // IIS / web
    "w3svc",
    "iisadmin",
    "smtpsvc",
    "imap4svc",
    "pop3svc",
    // Misc backup / recovery
    "wbengine",
    "sdrsvc",
    "pdvfsservice",
    // ESET
    "ehttpsrv",
    "epsecurityservice",
    "epupdateservice",
    "erasrv",
    "esgshkernel",
    // SCOM / MOM
    "healthservice",
    // Trend Micro
    "ntrtscan",
    "tmccsf",
    "tmlisten",
    // Defender
    "msmpsvc",
];

/// Minimum number of stops from `RANSOMWARE_STOP_SERVICES` within
/// `RANSOMWARE_KILL_WINDOW_NS` to constitute a high-confidence cluster.
pub const RANSOMWARE_SERVICE_STOP_CLUSTER_THRESHOLD: usize = 3;

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn ransom_note_filenames_not_empty() {
        assert!(
            !RANSOM_NOTE_FILENAMES.is_empty(),
            "RANSOM_NOTE_FILENAMES must contain entries"
        );
    }

    #[test]
    fn ransom_note_filenames_covers_stop_djvu() {
        assert!(
            RANSOM_NOTE_FILENAMES.contains(&"_readme.txt"),
            "STOP/DJVU _readme.txt must be covered"
        );
    }

    #[test]
    fn ransom_note_filenames_covers_lockbit() {
        assert!(
            RANSOM_NOTE_FILENAMES.contains(&"LockBit_README.txt"),
            "LockBit note must be covered"
        );
    }

    #[test]
    fn ransom_note_filenames_covers_wannacry() {
        assert!(
            RANSOM_NOTE_FILENAMES.contains(&"@Please_Read_Me@.txt"),
            "WannaCry note must be covered"
        );
    }

    #[test]
    fn ransom_note_filenames_covers_akira() {
        assert!(
            RANSOM_NOTE_FILENAMES.contains(&"akira_readme.txt"),
            "Akira note must be covered"
        );
    }

    #[test]
    fn ransom_note_filenames_covers_qwcrypt() {
        assert!(
            RANSOM_NOTE_FILENAMES.contains(&"FILES_ENCRYPTED.txt"),
            "QWCrypt/RedCurl note must be covered"
        );
    }

    #[test]
    fn ransom_note_filenames_covers_hive() {
        assert!(
            RANSOM_NOTE_FILENAMES.contains(&"HOW_TO_DECRYPT.txt"),
            "Hive note must be covered"
        );
    }

    #[test]
    fn ransom_note_filenames_covers_cryptolocker() {
        assert!(
            RANSOM_NOTE_FILENAMES.contains(&"DECRYPT_INSTRUCTION.html"),
            "CryptoLocker note must be covered"
        );
    }

    #[test]
    fn ransom_note_filenames_no_duplicates() {
        let mut sorted = RANSOM_NOTE_FILENAMES.to_vec();
        sorted.sort_unstable();
        let original_len = sorted.len();
        sorted.dedup();
        assert_eq!(
            sorted.len(),
            original_len,
            "RANSOM_NOTE_FILENAMES contains duplicate entries"
        );
    }

    #[test]
    fn ransom_note_filenames_no_path_separators() {
        for name in RANSOM_NOTE_FILENAMES {
            assert!(
                !name.contains('\\') && !name.contains('/'),
                "Entry '{name}' contains a path separator — basenames only"
            );
        }
    }

    #[test]
    fn ransom_note_filenames_has_substantial_coverage() {
        assert!(
            RANSOM_NOTE_FILENAMES.len() >= 50,
            "Expected at least 50 ransom note filenames for meaningful coverage, got {}",
            RANSOM_NOTE_FILENAMES.len()
        );
    }

    // ── Ransomware kill / stop list tests ────────────────────────────────────

    #[test]
    fn kill_processes_includes_sql_server() {
        assert!(
            RANSOMWARE_KILL_PROCESSES.iter().any(|p| p.contains("sql")),
            "must include SQL server process names"
        );
    }

    #[test]
    fn kill_processes_includes_veeam() {
        assert!(
            RANSOMWARE_KILL_PROCESSES
                .iter()
                .any(|p| p.contains("veeam")),
            "must include Veeam process names"
        );
    }

    #[test]
    fn kill_processes_includes_av_product() {
        assert!(
            RANSOMWARE_KILL_PROCESSES
                .iter()
                .any(|p| p.contains("sophos") || p.contains("mcshield") || p.contains("msmpeng")),
            "must include at least one AV process"
        );
    }

    #[test]
    fn kill_processes_all_lowercase() {
        for name in RANSOMWARE_KILL_PROCESSES {
            assert_eq!(
                *name,
                name.to_lowercase(),
                "all kill-list process names must be lowercase, got '{name}'"
            );
        }
    }

    #[test]
    fn kill_processes_no_path_separators() {
        for name in RANSOMWARE_KILL_PROCESSES {
            assert!(
                !name.contains('\\') && !name.contains('/'),
                "'{name}' must be a basename only"
            );
        }
    }

    #[test]
    fn kill_cluster_threshold_is_at_least_3() {
        const _: () = assert!(
            RANSOMWARE_KILL_CLUSTER_THRESHOLD >= 3,
            "threshold must be at least 3 to avoid trivial false positives"
        );
    }

    #[test]
    fn kill_window_is_60_seconds() {
        assert_eq!(
            RANSOMWARE_KILL_WINDOW_NS, 60_000_000_000,
            "window must be exactly 60 seconds in nanoseconds"
        );
    }

    #[test]
    fn stop_services_includes_veeam() {
        assert!(
            RANSOMWARE_STOP_SERVICES.iter().any(|s| s.contains("veeam")),
            "must include Veeam backup services"
        );
    }

    #[test]
    fn stop_services_includes_commvault_cluster() {
        let commvault = &["gxvss", "gxblr", "gxfwd", "gxcvd", "gxcimgr"];
        for svc in commvault {
            assert!(
                RANSOMWARE_STOP_SERVICES.contains(svc),
                "Commvault '{svc}' must be in stop-list (cited in CISA AA23-075A)"
            );
        }
    }

    #[test]
    fn stop_services_all_lowercase() {
        for svc in RANSOMWARE_STOP_SERVICES {
            assert_eq!(
                *svc,
                svc.to_lowercase(),
                "all stop-list service names must be lowercase, got '{svc}'"
            );
        }
    }

    #[test]
    fn service_stop_threshold_is_at_least_3() {
        const _: () = assert!(
            RANSOMWARE_SERVICE_STOP_CLUSTER_THRESHOLD >= 3,
            "threshold must be at least 3"
        );
    }
}