🐾 - 🚨 Suspicious TLSV1.2 connection from Windows 🪟 (JA3) seen in 🔒 REvil / Sodinokibi ransomware attack (check that the destination is legitimate)Source: woundride/pawpatrules
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious TLSV1.2 connection from Windows 🪟 (JA3) seen in 🔒 REvil / Sodinokibi ransomware attack (check that the destination is legitimate)"; flow:to_server, stateless; ja3.hash; content:"ce5f3254611a8c095a3d821d44539877"; fast_pattern; tls_sni; content:!"adobe.com"; endswith; nocase; content:!"microsoft.com"; endswith; nocase; content:!"skype.com"; endswith; nocase; content:!"msn.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"live.com"; endswith; nocase; content:!"office.com"; endswith; nocase; content:!"office365.com"; endswith; nocase; content:!"azureedge.net"; endswith; nocase; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.revil; metadata:created_at 2023_11_18, updated_at 2023_11_28; sid:3301092; rev:4; classtype:trojan-activity;)
Reference
URLhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil
Metadata
created_at2023_11_18
updated_at2023_11_28