Rule History

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Successful Server Response"; flow:established,to_client; flowbits:isset,ET.QNAPCrypt.DetailReq; http.response_line; bsize:17; content:"HTTP/1.1 200 OK|0d 0a|"; http.content_type; content:"application/json"; http.response_body; content:"|7b 22|RsaPublicKey|22 3a 22|-----BEGIN RSA PUBLIC KEY"; content:"|22 7d 2c 7b 22|BtcPublicKey|22 3a 22|"; fast_pattern; content:"|22 7d 2c 7b 22|Readme|22 3a 22|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027705; rev:2; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_04_30;)