alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revoyem Ransomware Check-in"; flow:established,to_server; http.uri; content:".php?id="; content:"&os="; content:"&bot_id="; fast_pattern; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&os=\d\.\d[^&]*&bot_id=/"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016731; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_04_06, deployment Perimeter, signature_severity Major, tag Ransomware, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)