Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wacatac Ransomware Variant Retrieving File (GET)"; flow:established,to_server; http.request_line; content:"GET /decryptor-gui.exe HTTP/1.1"; fast_pattern; http.referer; content:"/payment-registration"; endswith; http.host; content:".onion"; endswith; reference:url,app.any.run/tasks/552daf29-bab5-4065-873c-51542925071c/; reference:url,twitter.com/petrovic082/status/1541392264030814212; reference:md5,1a209343e0eb93a07c0da41ef5c93ab0; classtype:trojan-activity; sid:2037129; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_27, deployment Perimeter, malware_family Win32_Wacatac, confidence High, signature_severity Major, tag Ransomware, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)