alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alfa/Alpha Ransomware Checkin"; flow:established,to_server; urilen:33; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; pcre:"/^GET\x20\/[A-F0-9]{32}\x20HTTP\/1\.1\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/"; http.header_names; content:!"Accept"; content:!"Connection"; content:!"Cache-Control"; content:!"Pragma"; content:!"Referer"; content:!"User-Agent"; reference:md5,0601d824d188a42bc530f349926f1f95; reference:md5,900cacbd18f1e21cf6b5a9f842c23b72; reference:url,www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/; classtype:command-and-control; sid:2023083; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, deprecation_reason Age, confidence High, signature_severity Major, tag Ransomware, updated_at 2024_04_04, reviewed_at 2024_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)