alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revoyem Ransomware Activity"; flow:established,to_server; http.uri; content:".php?id="; content:"&gr"; fast_pattern; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-(\d{1,3}\.){3}\d{1,3}&gr/"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016732; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_04_06, deployment Perimeter, signature_severity Major, tag Ransomware, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)