Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ranscam Ransomware Contact Form"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"action=|22|http|3a|//www.tectite.com"; fast_pattern; nocase; content:"EmailAddr|3a|Your email address"; nocase; distance:0; content:"Message|3a|Your message"; nocase; distance:0; content:"Use your real email if you want a response"; nocase; distance:0; content:"spam folder if you do not receive"; nocase; distance:0; reference:md5,926a8d1c842964b2b81f5f94f6ae73b1; reference:url,blog.talosintel.com/2016/07/ranscam.html; classtype:trojan-activity; sid:2022968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, confidence High, signature_severity Major, tag Ransomware, updated_at 2020_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)