alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomware Invalid URI CnC Request"; flow:established,to_server; http.uri; content:"/.ru|60|utr/qiq"; http.host; content:".my-files-download.ru"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:command-and-control; sid:2016187; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag Ransomware, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)