alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Galock Ransomware Check-in"; flow:established,to_server; http.uri; content:"&os="; content:"&hostname="; content:"&codepage="; content:"&account"; http.header; content:"|3a 20|Mozilla/4.1|20|"; fast_pattern; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016644; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)