Versions (4)
Version DetailsCurrent
Rev: 6 • Jan 23, 2015, 12:00 PMET MALWARE Generic DNS Query for Suspicious CryptoWall (crpt) Domains
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Generic DNS Query for Suspicious CryptoWall (crpt) Domains"; dns.query; content:"crpt"; fast_pattern; depth:4; pcre:"/^[a-zA-Z0-9]{12}\.onion/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020292; rev:6; metadata:created_at 2015_01_23, deprecation_reason Age, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_01, reviewed_at 2024_04_01;)
Jan 23, 2015, 12:00 PM
Apr 1, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
Oct 1, 2025, 9:34 PM
rules/emerging-malware.rules