alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Requesting Key/Wallet/Note"; flow:established,to_server; flowbits:isset,ET.Socks5.OnionReq; flowbits:set,ET.QNAPCrypt.DetailReq; http.request_line; content:"GET /api/GetAvailKeysByCampId/"; depth:30; fast_pattern; http.header; content:".onion|0d 0a|user-agent|3a 20|go-http-client/1.1"; nocase; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027704; rev:2; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Ransomware, updated_at 2026_04_30;)