""ET TROJAN Revoyem Ransomware Activity""

SID: 2016732

Revision: 3

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2013_04_06, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2013_04_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: ".php?id="

• Value: "&gr"

Within:

PCRE: "/.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-(\d{1,3}.){3}\d{1,3}&gr/U"

Special Options:

• http_uri

• http_uri

source