azureEventHub_windows-malware.rules

# Sagan windows-malware.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16464"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 5155,5154,861; threshold: type suppress, track by_username, count 5, seconds 300; default_proto: udp; default_dst_port: 16464; classtype: network-event; program: *Security*; sid:5008673; metadata: created_on 2022_11_22, old_sid 5001735; rev:9;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16465"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 5155,5154,861; threshold: type suppress, track by_username, count 5, seconds 300; default_proto: udp; default_dst_port: 16465; classtype: network-event; program: *Security*; sid:5008674; metadata: created_on 2022_11_22, old_sid 5001736; rev:9;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16470"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 5155,5154,861; threshold: type suppress, track by_username, count 5, seconds 300; default_proto: udp; default_dst_port: 16470; classtype: network-event; program: *Security*; sid:5008675; metadata: created_on 2022_11_22, old_sid 5001737; rev:9;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16471"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 5155,5154,861; threshold: type suppress, track by_username, count 5, seconds 300; default_proto: udp; default_dst_port: 16471; classtype: network-event; program: *Security*; sid:5008676; metadata: created_on 2022_11_22, old_sid 5001738; rev:9;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Black POS Malware Detected [5/5]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4657,4688,592,567; content: "POSWDS"; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; program: *Security*; sid:5008677; metadata: created_on 2022_11_22, old_sid 5001951; rev:8;)


#*************************************************************
# These rules are base upon research by Russ Anthony. More
# information can be found in his white paper at:
#
# https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262
#*************************************************************


alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] System protection disabled"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 7034,7035,7046,7040,4689,593; meta_content: "%sagan%",defender,anti-virus,antivirus; meta_nocase; content: "stop control"; flexbits: isnotset,by_src,reboot.windows; program: Service_Control_Manager; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; sid:5008678; metadata: created_on 2022_11_22, old_sid 5002011; rev:14;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious misspelled process"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; meta_content: "%sagan%.exe",scvhost,svcdost,scvdost,iexplorer"; meta_nocase; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; program: *Security*; sid:5008679; metadata: created_on 2022_11_22, old_sid 5001999; rev:7;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Lower case drive letter used in process"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; meta_content: "File Name|3a| %sagan%|3a|",c,d,e; classtype: trojan-activity; program: *Security*; sid:5008680; metadata: created_on 2022_11_22, old_sid 5002000; rev:7;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for svchost.exe"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; content: "\\svchost.exe"; content:!"C|3a|\\WINDOWS\\System32\\svchost.exe"; nocase; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; program: *Security*; sid:5008681; metadata: created_on 2022_11_22, old_sid 5002001; rev:7;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for explorer.exe"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; content: "\\explorer.exe"; content:!"C|3a|\\WINDOWS\\explorer.exe"; nocase; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; program: *Security*; sid:5008682; metadata: created_on 2022_11_22, old_sid 5002002; rev:7;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious application crash"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4097; pcre: "/Adobe|Microsoft Office|Java|wmplayer/"; classtype: trojan-activity; program: *Security*; sid:5008683; metadata: created_on 2022_11_22, old_sid 5002003; rev:6;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious Tool Event"; meta_content: "%sagan%",win32dd.exe,win64dd.exe,cachedump,fgdump,gsecdump,lslsass,mimikatz,pwdump7,pwdumpx,pwdump,wce.exe,getlsasrvaddr,iam.exe,iam-alt,whosthere.exe,whosthere-alt,genhash,lsadump,procdump; meta_nocase; content: !"DataStoreCacheDumpTool.exe"; nocase; program: *Security*; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; sid:5008684; metadata: created_on 2022_11_22, old_sid 5002006; rev:10;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Virus Found!"; content: "virus found"; nocase; classtype: trojan-activity; sid:5008685; metadata: created_on 2022_11_22, old_sid 5002007; rev:2;)

# Added by Champ Clark - 08/26/2014

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] RASWMI Malware process detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; content: "|3a|\\Windows\\system32\\wbem\\raswmi.dll"; classtype: trojan-activity; program: *Security*; sid:5008686; metadata: created_on 2022_11_22, old_sid 5002103; rev:6;)

# Added by Champ Clark - 06/08/2016

# Security-Auditing| 4663: AUDIT_SUCCESS An attempt was made to access an object. Subject: *Security ID: S-1-5-21-3033682373-1303307761-3711879957-1000 Account Name: frankw Account Domain: frankw-PC Logon ID: 0x144f4 Object: Object Server: *Security Object Type: File Object Name: C:\\ProgramData\\Microsoft\\User Account Pictures\\B2DFD6E96212209F0583673878AA9EF6.locky Handle ID: 0x5d68 Process Information: Process ID: 0x6a8 Process Name: C:\\Users\\frankw\\AppData\\Local\\Temp\\30e22374e00af038d06063db14cb3797.exe Access Request Information: Accesses: WriteAttributes Access Mask: 0x100

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Locky or AutoLocky ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".locky "; classtype: trojan-activity; program: *Security*; sid:5008687; metadata: created_on 2022_11_22, old_sid 5002801; reference: url,decrypter.emsisoft.com; rev:8;)

# Ransomware rules By Corey Fisher (cfisher@quadrantsec.com) & Bryan Manradge.
# 04/11/2016

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: "_Locky_recover_instructions.txt"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/; sid:5008688; metadata: created_on 2022_11_22, old_sid 5002804; rev:6;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptowall 4.0 ransomware note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: "%sagan%",HELP_YOUR_FILES,DECRYPT_INSTRUCTION; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#cryptowall4; sid:5008689; metadata: created_on 2022_11_22, old_sid 5002805; rev:8;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptowall ransomware note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: "HELP_DECRYPT.txt"; content: "WriteData"; program: *Security*; classtype: trojan-activity; sid:5008690; metadata: created_on 2022_11_22, old_sid 5002806; rev:6;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite/DecryptorMax ransomware note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: "ReadDecryptFilesHere.txt"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/news/security/cryptinfinite-or-decryptormax-ransomware-decrypted/; reference: url,decrypter.emsisoft.com;sid:5008691; metadata: created_on 2022_11_22, old_sid 5002807; rev:7;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: "%sagan%",HELP_TO_DECRYPT_YOUR_FILES.txt,Howto_Restore_FILES.txt,_how_recover_.TXT,_H_e_l_p_RECOVER_INSTRUCTIONS.txt; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,www.pcrisk.com/removal-guides/8724-teslacrypt-virus; sid:5008692; metadata: created_on 2022_11_22, old_sid 5002808; rev:7;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Teslacrypt ransomware note type 2 detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; pcre: "/\\+-xxx-HELP-xxx-\\+[0-9a-zA-Z]+-\\+\.txt/i"; program: *Security*; classtype: trojan-activity; reference: url,www.virustotal.com/en/file/161d1b77a6867603745046e81e52a186ea764ba8c723c9698da707c245505e95/analysis/1458765163/; sid:5008693; metadata: created_on 2022_11_22, old_sid 5002809; rev:7;)

# More Ransomware rules by Champ Clark (cclark@quadrantsec.com).
#
# Data for these ransomware rules come from:
# https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g
# http://www.nyxbone.com/malware/RansomwareOverview.html

# CryptoHasYou. - Trojan:Win32/Dynamer!ac or Rakhni

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TrueCrypter Rakhni or .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content:!"\\encoding\\"; nocase; meta_content: ".%sagan% ",enc,cryptohasyou; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008694; metadata: created_on 2022_11_22, old_sid 5002819; rev:10;)

# CryptoHasYou

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransom note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: "YOUR_FILES_ARE_LOCKED.txt"; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008695; metadata: created_on 2022_11_22, old_sid 5002820; rev:7;)

# 7ev3n - Ransom:Win32/Empercrypt.A

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] 7ev3n - Ransom:Win32/Empercrypt.A ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content:".%sagan% ",R5A,R4A; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,github.com/hasherezade/malware_analysis/tree/master/7ev3n; sid:5008696; metadata: created_on 2022_11_22, old_sid 5002821; rev:11;)

# BitCryptor - Win32/Cribit or CoinVault - Ransom: MSIL/Vaultlock.A

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Win32/Cribit or MSIL/Vaultlock.A ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".clf "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,noransom.kaspersky.com; sid:5008697; metadata: created_on 2022_11_22, old_sid 5002822; rev:9;)

# Cerber - Win32/Cerber

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cerber - Win32/Cerber ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".cerber "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008698; metadata: created_on 2022_11_22, old_sid 5002823; rev:8;)

# Chimera - Win32/Chicrypt

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Chimera - Win32/Chicrypt ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".crypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html;sid:5008699; metadata: created_on 2022_11_22, old_sid 5002824; rev:8;)

# Coverton

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ", coverton,enigma,czvxce; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008700; metadata: created_on 2022_11_22, old_sid 5002825; rev:8;)

# CryptInfinite

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".crinf "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008701; metadata: created_on 2022_11_22, old_sid 5002826; rev:8;)

# CryptoJoker

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".crjoker "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008702; metadata: created_on 2022_11_22, old_sid 5002827; rev:8;)

# CryptoTorLocker2015

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoTorLocker2015 ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".CryptoTorLocker2015! "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008703; metadata: created_on 2022_11_22, old_sid 5002828; rev:8;)

# CryptXXX or Gomasom

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptXXX or Gomasom ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".crypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008704; metadata: created_on 2022_11_22, old_sid 5002829; rev:8;)

# Hi Buddy! or Rakhni

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Hi Buddy! or Rakhni ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".cry "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008705; metadata: created_on 2022_11_22, old_sid 5002830; rev:8;)

# iLock, iLockLight or Lortok

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] iLock, iLockLight or Lortok ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".crime "; nocase; program: *Security*; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008706; metadata: created_on 2022_11_22, old_sid 5002831; rev:9;)

# Jigsaw - Ransom:MSIL/JigsawLocker.A

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw - MSIL/JigsawLocker.A"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ", btc,kkk,fun,gws; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom; sid:5008707; metadata: created_on 2022_11_22, old_sid 5002832; rev:8;)

# Job Crypter, KimcilWare, SkidLocker, Pompous, Strictor or Rakhni

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] EDA2,HiddenTear,Job Crypter,KimcilWare,SkidLocker,Pompous,Strictor or Rakhni ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".locked "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008708; metadata: created_on 2022_11_22, old_sid 5002833; rev:9;)

# KeyBTC - Ransom: Win32/Isda - Ransom: BAT/Xibow

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeyBTC - Win32/Isda - BAT/Xibow ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".keybtc@inbox_com "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008709; metadata: created_on 2022_11_22, old_sid 5002834; rev:8;)

# KimcilWare

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KimcilWare ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".kimcilware "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it; sid:5008710; metadata: created_on 2022_11_22, old_sid 5002835; rev:9;)

# LeChiffre

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LeChiffre ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".lechiffre "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com/lechiffre; sid:5008711; metadata: created_on 2022_11_22, old_sid 5002836; rev:8;)

# LowLevel04

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LowLevel04 ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".oor."; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008712; metadata: created_on 2022_11_22, old_sid 5002847; rev:8;)

# Magic

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Magic ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".magic "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008713; metadata: created_on 2022_11_22, old_sid 5002837; rev:8;)

# MireWare

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] MireWare ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".fucked "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008714; metadata: created_on 2022_11_22, old_sid 5002838; rev:8;)

# Nemucod

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Nemucod ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".crypted "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com; reference: url,github.com/Antelox/NemucodFR; sid:5008715; metadata: created_on 2022_11_22, old_sid 5002839; rev:10;)


# Offline ransomware
# Disabled - causes a lot of F/P and was last seen 2018

# alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Offline ransomware ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".cbf "; nocase; program: *Security*; classtype: trojan-activity; threshold: type suppress, track by_username, count 5, seconds 300; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008716; metadata: created_on 2022_11_22, old_sid 5002840; rev:9;)

# OMG! Ransomware

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] OMG! ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".LOL! "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008717; metadata: created_on 2022_11_22, old_sid 5002841; rev:6;)

# Radamant

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Radamant ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".RADAMANT "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com; sid:5008718; metadata: created_on 2022_11_22, old_sid 5002842; rev:7;)

# Rakhni

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton or Torrentlocker ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ",kraken,darkness,nochance,oshit,oplata@qq_com,relock@qq_com,crypto,helpdecrypt@ukr.net,pizda@qq_com,dyatel@qq_com,_ryp,nalog@qq_com,chifrator@qq_com,gruzin@qq_com,troyancoder@qq_com,encrypted,AES256,hb15; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/us/viruses/disinfection/10556; sid:5008719; metadata: created_on 2022_11_22, old_sid 5002843; rev:9;)

# RemindMe

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] RemindMe ransomware extension or note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; pcre: "/\.remindme |decrypt_your_files.html/i"; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008720; metadata: created_on 2022_11_22, old_sid 5002844; rev:8;)

# Rokku

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Rokku ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".rokku "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008721; metadata: created_on 2022_11_22, old_sid 5002845; rev:7;)

# Samas-Samsam

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas-Samsam ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ",encryptedAES,encryptedRSA,encedRSA,justbtcwillhelpyou,btcbtcbtc; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008722; metadata: created_on 2022_11_22, old_sid 5002846; rev:8;)

# Sanction

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Sanction ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".sanction "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008723; metadata: created_on 2022_11_22, old_sid 5002848; rev:7;)

# Sport

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Sport ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".sport "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008724; metadata: created_on 2022_11_22, old_sid 5002849; rev:6;)

# Surprise

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Surprise ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".suprise "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008725; metadata: created_on 2022_11_22, old_sid 5002850; rev:7;)

# TeslaCrypt 0.x - 2.2.0 (defunct)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 0.x - 2.2.0 ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ",vvv,ecc,exx,ezz,abc,aaa,zzz,xyz; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt; reference: url,www.talosintel.com/teslacrypt_tool; sid:5008726; metadata: created_on 2022_11_22, old_sid 5002851; rev:6;)

# TeslaCrypt 3.0+ (defunct)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0+ ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ",micro,xxx,ttt; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008727; metadata: created_on 2022_11_22, old_sid 5002852; rev:6;)

# Troldesh

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Troldesh ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ",better_call_saul,xtbl; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008728; metadata: created_on 2022_11_22, old_sid 5002853; rev:5;)

# VaultCrypt

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zlader / Russian or VaultCrypt ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ",vault,xort; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008729; metadata: created_on 2022_11_22, old_sid 5002854; rev:6;)

# Virus-Encoder

# alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Virus-Encoder ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".CrySiS "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008730; metadata: created_on 2022_11_22, old_sid 5002855; rev:6;)

# Xorist

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ", EnCiPhErEd,73i87A,p5tkjw,PoAr2w; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/viruses/disinfection/2911; sid:5008731; metadata: created_on 2022_11_22, old_sid 5002856; rev:6;)

# XRTN

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] XRTN ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".CrySiS "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008732; metadata: created_on 2022_11_22, old_sid 5002857; rev:6;)

# CryptFIle2

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptFIle2 ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".scl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008733; metadata: created_on 2022_11_22, old_sid 5002858; rev:6;)

# Cryaki

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryaki ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".scl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/viruses/disinfection/8547; sid:5008734; metadata: created_on 2022_11_22, old_sid 5002859; rev:7;)

# CTB-Locker

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CTB-Locker ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".ctbl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008735; metadata: created_on 2022_11_22, old_sid 5002860; rev:6;)

# El-Polocker

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] El-Polocker ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".ha3 "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008736; metadata: created_on 2022_11_22, old_sid 5002861; rev:6;)

# Mobef

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Mobef ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ",KEYZ,KEYH0LES; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008737; metadata: created_on 2022_11_22, old_sid 5002862; rev:6;)

# Alpha Ransomware

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".encrypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008738; metadata: created_on 2022_11_22, old_sid 5002863; rev:6;)

# WonderCrypter

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: "%sagan%",.h3ll,SECRETISHIDINGHEREINSIDE.KEY,YOUGOTHACKED.TXT; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008739; metadata: created_on 2022_11_22, old_sid 5002864; rev:8;)

# Zeta

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zeta ransomware note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: "HELP_YOUR_FILES.HTML"; nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008740; metadata: created_on 2022_11_22, old_sid 5002865; rev:6;)

# PLAUGE17 (?)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: "%sagan",.PLAUGE17,PLAUGE17.TXT; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008741; metadata: created_on 2022_11_22, old_sid 5002866; rev:8;)

# Unknown strains of ransomware

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible unknown strain ransomware extension or note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: "%sagan%",.crypttt,.8lock8,.neitrino,.xcrypt,!!!ATTENTION.TXT!!!,READ_IT.TXT,FILES_BACK.TXT; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5008742; metadata: created_on 2022_11_22, old_sid 5002867; rev:6;)

# Based off a Tweet by Jack Crook (Twitter: @jackcr) after Derbycon talk.
#
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Suspicious Service Control Manager Call"; content: " 7045|3a| "; meta_content: "%sagan%", cmd.exe,%COMSPEC%; meta_nocase; program: System|Service_Control_Manager; classtype: suspicious-traffic; reference: url,twitter.com/jackcr/status/779716898296520704; sid:5008743; metadata: created_on 2022_11_22, old_sid 5002956; rev:5;)

# Alcatraz ransomware

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan%",.Alcatraz,ransomed.html; meta_nocase;; nocase; program: *Security*; classtype: trojan-activity; reference: url,reference: url,www.virustotal.com/en/file/be3afa19c76c2270ccac7eacf68f89603032c0588f721215e15a9d1421567969/analysis/; sid:5008744; metadata: created_on 2022_11_22, old_sid 5003024; rev:5;)

# Adylkuzz trojan rules.
# Steve Rawls (2017/05/18)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Adylkuzz Trojan service installation detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4697,601; pcre: "/ WELM | WHDMIDE /i"; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; program: *Security*; reference: url, www.symantec.com/security_response/writeup.jsp?docid=2017-051707-0237-99&tabid=2; sid:5008745; metadata: created_on 2022_11_22, old_sid 5003116; rev:4;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Adylkuzz Trojan log file detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: "|2e 5f|Miner|5f 2e|log"; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; program: *Security*; reference: url, www.symantec.com/security_response/writeup.jsp?docid=2017-051707-0237-99&tabid=2; sid:5008746; metadata: created_on 2022_11_22, old_sid 5003117; rev:4;)

# New Petya rules - these are largely based on "open source" resources!
# Champ Clark III / 2017/06/27

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5008747; metadata: created_on 2022_11_22, old_sid 5003121; rev:1;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5ee4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5008748; metadata: created_on 2022_11_22, old_sid 5003122; rev:1;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a,9717cfdc2d023812dbc84a941674eb23a2a8ef06,38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf,56c03d8e43f50568741704aee482704a4f5005ad; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5008749; metadata: created_on 2022_11_22, old_sid 5003123; rev:2;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5008750; metadata: created_on 2022_11_22, old_sid 5003124; rev:4;)

# Jennifer Shannon @ Quadrantsec (2017/08/31)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoMix ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: ".%sagan% ", empty,error,ogonia,cnc,exte; meta_nocase; program: *Security*; after: track by_username, count 10, seconds 300; threshold: type limit, track by_username, count 5, seconds 300; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; reference: url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/; sid:5008751; metadata: created_on 2022_11_22, old_sid 5003201; rev:6;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky/CryptoMix ransomware note detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: "_HELP_instructions.txt "; nocase; program: *Security*; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; reference: url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/; sid:5008752; metadata: created_on 2022_11_22, old_sid 5003202; rev:5;)

# Steve Rawls - Bad Rabbit.

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit Malware scheduled task detected"; content: "scheduled task"; nocase; meta_content: "%sagan%", viserion_,rhaegal,drogon ; meta_nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4698,602; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; program: Security*; reference: url,blog.talosintelligence.com/2017/10/bad-rabbit.html; sid:5008753; metadata: created_on 2022_11_22, old_sid 5003204; rev:4;)

# Sam Castellano - More bad Rabbit (2017/11/07)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit payload delivery SHA256 hash detected "; meta_content: "%sagan%", 8e2d709a262bd3a1ef288a87f737a7be8cdf9973751432bff7bf1956b83a94bc,8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93,afeee8b4acff87bc469a6f0364a81ae5d60a2add,de5c8d858e6e41da715dca1c019df0bfb92d32c0,630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da,579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648,0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6; meta_nocase; classtype: trojan-activity; reference: url,bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; sid:5008754; metadata: created_on 2022_11_22, old_sid 5003206; rev:1;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit payload delivery SHA1 hash detected "; content:"6d8104674ea6206080b050d73f265ea75edbd7d3"; nocase; classtype: trojan-activity; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; sid:5008755; metadata: created_on 2022_11_22, old_sid 5003207; rev:2;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit payload delivery MD5 hash detected "; content:"1d4f2b4d8430941d383f8e49519f6d90"; nocase; classtype: trojan-activity; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; sid:5008756; metadata: created_on 2022_11_22, old_sid 5003208; rev:1;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit detected by filename "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; meta_content: "%sagan%",dispci.exe,8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93.exe,cscc.dat,infpub.dat,install_flash_player.exe; meta_nocase; classtype: trojan-activity; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; sid:5008757; metadata: created_on 2022_11_22, old_sid 5003209; rev:3;)

# New rules based of field IOCs ( Champ Clark / cclark@quadrantsec.com - 2020/05/18 )

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible suspicious process SyncTask.exe detected"; content: "SyncTask.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; parse_src_ip: 1; sid:5008758; metadata: created_on 2022_11_22, old_sid 5004316; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious process RDPV_2.exe detected"; content: "rdpv_2.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; parse_src_ip: 1; sid:5008759; metadata: created_on 2022_11_22, old_sid 5004317; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious RDPV.exe detected"; content: "rdpv.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; parse_src_ip: 1; sid:5008760; metadata: created_on 2022_11_22, old_sid 5004336; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious Wirelesskeyview.exe detected"; content: "wirelesskeyview.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; parse_src_ip: 1; sid:5008761; metadata: created_on 2022_11_22, old_sid 5004318; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious Wirelesskeyview_2.exe detected"; content: "wirelesskeyview_2.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; parse_src_ip: 1; sid:5008762; metadata: created_on 2022_11_22, old_sid 5004319; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious Speedtest.exe detected"; content: "speedtest.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; parse_src_ip: 1; sid:5008763; metadata: created_on 2022_11_22, old_sid 5004320; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible webshell u.aspx detected"; content: "u.aspx"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008764; metadata: created_on 2022_11_22, old_sid 5004321; rev:2;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious MsMpEng detected"; content: "msmpeng.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008765; metadata: created_on 2022_11_22, old_sid 5004322; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious Error3.aspx detected"; content: "error3.aspx"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008766; metadata: created_on 2022_11_22, old_sid 5004323; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious issstart.aspx detected"; content: "issstart.aspx"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008767; metadata: created_on 2022_11_22, old_sid 5004324; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious global.aspx detected"; content: "global.aspx"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008768; metadata: created_on 2022_11_22, old_sid 5004325; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious scripts.aspx detected"; content: "scripts.aspx"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008769; metadata: created_on 2022_11_22, old_sid 5004326; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious Winsrv.exe detected"; content: "winsrv.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008770; metadata: created_on 2022_11_22, old_sid 5004327; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious Scksp.exe detected"; content: "scksp.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008771; metadata: created_on 2022_11_22, old_sid 5004328; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible Dimitry malware Dispex.exe detected"; content: "dispex.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; parse_src_ip: 1; sid:5008772; metadata: created_on 2022_11_22, old_sid 5004329; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible Dimitry malware Dispex.exe detected"; content: "dispex.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; parse_src_ip: 1; sid:5008773; metadata: created_on 2022_11_22, old_sid 5004330; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicious Sysclass.exe detected"; content: "sysclass.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008774; metadata: created_on 2022_11_22, old_sid 5004331; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicous SKCI.exe detected"; content: "SKCI.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008775; metadata: created_on 2022_11_22, old_sid 5004332; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicous msimsg.exe detected"; content: "msimsg.exe"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008776; metadata: created_on 2022_11_22, old_sid 5004333; rev:2;)

##alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicous DLLHOST detected"; content: "DLLHOST"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; classtype: trojan-activity; parse_src_ip: 1; sid:5008777; metadata: created_on 2022_11_22, old_sid 5004334; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Suspicous HomeGroupClient detected"; content: "HomeGroupClient"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688,592; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; parse_src_ip: 1; sid:5008778; metadata: created_on 2022_11_22, old_sid 5004335; rev:3;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious Powershell execution"; program: *Security*; content: "powershell.exe"; nocase; content: "-NoP"; nocase; content: "-NonI"; nocase; content: "-W Hidden"; nocase; content: "-exec bypass"; nocase; classtype: exploit-attempt; sid:5008779; metadata: created_on 2022_11_22, old_sid 5004779; rev:1;)


# Ryuk ransomware. (2020/10/30)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Ryuk ransomware RyukReadMe.txt detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: "RyukReadMe.txt"; nocase; program: *Security*; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; reference: url,www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/; sid:5008780; metadata: created_on 2022_11_22, old_sid 5004783; rev:2;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Ryuk ransomware extension detected."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: ".ryk "; nocase; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; program: *Security*; reference: url,www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/; reference: url,decrypter.emsisoft.com; sid:5008781; metadata: created_on 2022_11_22, old_sid 5004784; rev:2;)

# IOC's for the Kaseya / REvil randomware on 07042021

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible Kaseya/REvil Randomware dropper detected"; program: *Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4663,567,5145; content: "kworking\\agent.exe"; nocase; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: bad-unknown; sid:5008782; metadata: created_on 2022_11_22, old_sid 5005913; rev:2;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible Kaseya/REvil"; content: "WOW6432Node\\BlackLivesMatter"; nocase; classtype: bad-unknown; sid:5008783; metadata: created_on 2022_11_22, old_sid 5005918; rev:1;)

# This signature is meant to detect systems using Kaseya. Might be useful for IR.

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible Kaseya VSA in use"; content: "Kaseya"; nocase; threshold: type suppress, track by_username, count 1, seconds 86400; ; nocase; classtype: bad-unknown; sid:5008784; metadata: created_on 2022_11_22, old_sid 5005919; rev:1;)

# Signature based off Sigma rules for Printnightmare (https://github.com/SigmaHQ/sigma/pull/1588/files)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Printnightmare exploit detected - CVE-2021-1675"; program: *PrintSpooler*|*PrintService*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 808; content: "C|3a|\\Windows\\System32\\spool\\drivers\\x64\\3\old\\1\123"; nocase; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: exploit-attempt; reference: url,github.com/SigmaHQ/sigma/pull/1588/files; sid:5008785; metadata: created_on 2022_11_22, old_sid 5005920; reference: cve,2021-1675; rev:1;)

# DevilsTongue signatures by Steven Drenning.

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible DevilsTongue DLL access detected[1/4]";program: *Security*|*Sysmon*; content: "C|3a 5c|Windows|5c 5c|system32|5c 5c|ime|5c 5c|IMEJP"; nocase; content:!"imjpapi.dll"; nocase; content:!"imjpcd.dll"; nocase; content:!"imjpcmld.dll"; nocase; content:!"imjpcus.dll"; nocase; content:!"imjpdapi.dll"; nocase; content:!"imjpdctp.dll"; nocase; content:!"imjplmp.dll"; nocase; content:!"imjppred.dll"; nocase; content:!"imjpranker.dll"; nocase; content:!"imjptip.dll"; nocase; content:!"imjputyc.dll"; nocase; content:!"applets|5c 5c|imjpcac.dll";nocase; content:!"applets|5c 5c|imjpclst.dll";nocase; content:!"applets|5c 5c|imjpkdic.dll";nocase; content:!"applets|5c 5c|imjpskey.dll";nocase; content:!"applets|5c 5c|imjpskf.dll";nocase; pcre: "/im[a-zA-Z0-9]{1,20}.dll/"; threshold: type suppress, track by_username, count 1, seconds 300; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-traffic; metadata: created_on 2022_11_22, apt sourgum; reference: url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware; sid:5008786; metadata: created_on 2022_11_22, old_sid 5005946; rev:4;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible DevilsTongue DLL access detected[2/4]";program: *Security*|*Sysmon*; content: "C|3a 5c|Windows|5c 5c|system32|5c 5c|ime|5c 5c|IMEKR"; nocase; content:!"imkrapi.dll"; nocase; content:!"imkrotip.dll"; nocase; content:!"imkrtip.dll"; nocase; content:!"imkrudt.dll"; nocase; content:!"applets|5c 5c|imkrcac.dll";nocase; content:!"dicts|5c 5c|imkrhjd.dll";nocase; content:!"applets|5c 5c|imkrskf.dll";nocase; pcre: "/im[a-zA-Z0-9]{1,20}\.dll/"; threshold: type suppress, track by_username, count 1, seconds 300; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-traffic; metadata: created_on 2022_11_22, apt sourgum; reference: url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware; sid:5008787; metadata: created_on 2022_11_22, old_sid 5005947; rev:3;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible DevilsTongue DLL access detected[3/4]";program: *Security*|*Sysmon*; content: "C|3a 5c|Windows|5c 5c|system32|5c 5c|ime|5c 5c|IMETC"; nocase; content:!"imtccfg.dll"; nocase; content:!"imtccore.dll"; nocase; content:!"imtctip.dll"; nocase; content:!"imtctrln.dll"; nocase;content:!"applets|5c 5c|imtccac.dll";nocase; content:!"applets|5c 5c|imtcdic.dll";nocase; content:!"applets|5c 5c|imtcskf.dll";nocase; pcre: "/im[a-zA-Z0-9]{1,20}\.dll/"; threshold: type suppress, track by_username, count 1, seconds 300; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-traffic; metadata: created_on 2022_11_22, apt sourgum; reference: url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware; sid:5008788; metadata: created_on 2022_11_22, old_sid 5005948; rev:3;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible DevilsTongue DLL access detected[4/4]";program: *Security*|*Sysmon*; content: "C|3a 5c|Windows|5c 5c|system32|5c 5c|ime|5c 5c|shared"; nocase; content:!"imeapis.dll"; nocase; content:!"imebrokerps.dll"; nocase; content:!"imecfm.dll"; nocase; content:!"imecfmps.dll"; nocase; content:!"imedicapiccps.dll"; nocase; content:!"imefiles.dll"; nocase; content:!"imelm.dll"; nocase; content:!"imepadsm.dll"; nocase; content:!"imesearchdll.dll"; nocase; content:!"imesearchps.dll"; nocase; content:!"imetip.dll"; nocase; content:!"imjkapi.dll"; nocase; pcre: "/im[a-zA-Z0-9]{1,20}\.dll/"; threshold: type suppress, track by_username, count 1, seconds 300; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-traffic; metadata: created_on 2022_11_22, apt sourgum; reference: url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware; sid:5008789; metadata: created_on 2022_11_22, old_sid 5005949; rev:2;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible DevilsTongue Physmem.sys Detected [1/2]";program: *Security*|*Sysmon*; content: "C|3a 5c|Windows|5c 5c|system32|5c 5c|physmem.sys"; nocase; threshold: type suppress, track by_username, count 1, seconds 300; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-traffic; metadata: created_on 2022_11_22, apt sourgum; reference: url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware; sid:5008790; metadata: created_on 2022_11_22, old_sid 5005950; rev:2;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible DevilsTongue Physmem.sys Detected [2/2]";program: *Security*|*Sysmon*; content: "C|3a 5c|Windows|5c 5c|system32|5c 5c|drivers|5c 5c|physmem.sys"; nocase; threshold: type suppress, track by_username, count 1, seconds 300; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-traffic; metadata: created_on 2022_11_22, apt sourgum; reference: url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware; sid:5008791; metadata: created_on 2022_11_22, old_sid 5005951; rev:4;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible DevilsTongue DAT access detected"; program: *Security*|*Sysmon*;meta_content:"C|3a 5c|Windows|5c 5c|system32|5c 5c|config|5c 5c|%sagan%|5c 5c|",spp,SKB,curv,networklist,Licenses,InputMethod,Recovery;meta_nocase; content:!"|5c 5c|journal";nocase; content:!"|5c 5c|systemprofile";nocase; content:!"|5c 5c|TxR";nocase; pcre:"/[a-zA-Z0-9]{1,20}\.dat/"; threshold: type suppress, track by_username, count 1, seconds 300; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-traffic; metadata: created_on 2022_11_22, apt sourgum; reference: url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware; sid:5008792; metadata: created_on 2022_11_22, old_sid 5005952; rev:2;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible DevilsTongue File access detected"; program: *Security*|*Sysmon*;meta_content:"C|3a 5c|Windows|5c 5c|system32|5c 5c|ime|5c 5c|%sagan%",WimBootConfigurations.ini,wmiutils.dll,wbemsvc.dll;meta_nocase; threshold: type suppress, track by_username, count 1, seconds 300; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-traffic; metadata: created_on 2022_11_22, apt sourgum; reference: url,microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware; sid:5008793; metadata: created_on 2022_11_22, old_sid 5005953; rev:2;)

#Developed to detected the pintesting tool Rubeus. Rule by C.Goggins 01/2022
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Rubeus successful TGT Enumeration"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4611; content: "Logon Process Name|3A| User32LogonProcesss"; classtype:suspicious-traffic; reference:url,posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1; reference:url,mandiant.com/resources/unauthorized-access-of-fireeye-red-team-tools; sid:5008794; metadata: created_on 2022_11_22, old_sid 5005971; rev:2;)

#Rules 5005976-5005983 created to detect HermeticWiper, REF Ukraine. sdrenning! 20220306
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible HermeticWiper DLL Detected"; program: *Security*|*Sysmon*|*PowerShell*; content:"|5c 5c|romance.dll";nocase; threshold: type suppress, track by_username, count 1, seconds 300; classtype: malware; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; sid:5008795; metadata: created_on 2022_11_22, old_sid 5005976; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible HermeticWiper Executable Detected"; program: *Security*|*Sysmon*|*PowerShell*; content:"|5c 5c|Windows|5c 5c|Temp|5c 5c|cc.exe";nocase; threshold: type suppress, track by_username, count 1, seconds 300; classtype: malware; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; sid:5008796; metadata: created_on 2022_11_22, old_sid 5005977; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible HermeticWiper Executable Detected"; program: *Security*|*Sysmon*|*PowerShell*; content:"|5c 5c|Windows|5c 5c|Temp|5c 5c|cc2.exe";nocase; threshold: type suppress, track by_username, count 1, seconds 300; classtype: malware; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; sid:5008797; metadata: created_on 2022_11_22, old_sid 5005978; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible HermeticWiper Executable Detected"; program: *Security*|*Sysmon*|*PowerShell*; content:"|5c 5c|Users|5c 5c|com.exe";nocase; threshold: type suppress, track by_username, count 1, seconds 300; classtype: malware; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; sid:5008798; metadata: created_on 2022_11_22, old_sid 5005979; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible HermeticWiper Debug Code Detected"; program: *Security*|*Sysmon*|*PowerShell*; content:"start erasing physical drives";nocase; threshold: type suppress, track by_username, count 1, seconds 300; classtype: malware; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; sid:5008799; metadata: created_on 2022_11_22, old_sid 5005980; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible HermeticWiper Debug Code Detected"; program: *Security*|*Sysmon*|*PowerShell*; content:"start erasing logical drive";nocase; threshold: type suppress, track by_username, count 1, seconds 300; classtype: malware; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; sid:5008800; metadata: created_on 2022_11_22, old_sid 5005981; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible HermeticWiper Debug Code Detected"; program: *Security*|*Sysmon*|*PowerShell*; content:"start erasing system physical drive";nocase; threshold: type suppress, track by_username, count 1, seconds 300; classtype: malware; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; sid:5008801; metadata: created_on 2022_11_22, old_sid 5005982; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Possible HermeticWiper Debug Code Detected"; program: *Security*|*Sysmon*|*PowerShell*; content:"start erasing system logical drive";nocase; threshold: type suppress, track by_username, count 1, seconds 300; classtype: malware; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; sid:5008802; metadata: created_on 2022_11_22, old_sid 5005983; rev:1;)

#Powershell command to download a new object straight to TEMP dire with the file extention temp. This IOC was observed related to HermeticWiper but is a good general catchall. Might Move to Powershell Rules if too loud. sdrenning!20220306
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Object Downloaded to Temp Directory with .temp File Extention"; program: *Security*|*Sysmon*|*PowerShell*; content:"|28|Newobject";nocase; content:"webClient|29|.Download";nocase; distance:1; within:50; content:"|5c 5c|temp|5c 5c|";nocase; distance:1; within:50; content:".tmp";nocase; distance:1; within:50; threshold: type suppress, track by_username, count 1, seconds 300; classtype: malware; reference: url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia; sid:5008803; metadata: created_on 2022_11_22, old_sid 5005987; rev:1;)

#IOC Developed for PARTYTICKET ransomeware, observed in the Ukraine as a possible misdirection from the HermeticWiper ~ sdrenning! 20220306
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] PARTYTICKET Malware File Extention detected - Critical and Call"; program: *Security*|*Sysmon*|*PowerShell*; content:".encryptedJB";nocase; threshold: type suppress, track by_username, count 10, seconds 300; classtype: ransomware; reference: url,crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine; sid:5008804; metadata: created_on 2022_11_22, old_sid 5005988; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] PARTYTICKET E-mail Address Detected - Likely Ransomware (1/2)"; program: *Security*|*Sysmon*|*PowerShell*; content:"vote2024forjb|40|protonmail.com";nocase; threshold: type suppress, track by_username, count 1, seconds 300; classtype: ransomware; reference: url,crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine; sid:5008805; metadata: created_on 2022_11_22, old_sid 5005989; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] PARTYTICKET E-mail Address Detected - Likely Ransomware (2/2)"; program: *Security*|*Sysmon*|*PowerShell*; content:"stephanie.jones2024|40|protonmail.com";nocase; threshold: type suppress, track by_username, count 1, seconds 300; classtype: ransomware; reference: url,crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine; sid:5008806; metadata: created_on 2022_11_22, old_sid 5005990; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] PARTYTICKET Function Detected(1/2)"; program: *Security*|*Sysmon*|*PowerShell*; content:"projects";nocase; content:"403forBiden";nocase; distance:1; within:15; content:"wHiteHousE";nocase; distance:1; within:15; threshold: type suppress, track by_username, count 10, seconds 300; classtype: ransomware; reference: url,crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine; sid:5008807; metadata: created_on 2022_11_22, old_sid 5005991; rev:1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] PARTYTICKET Function Detected(2/2)"; program: *Security*|*Sysmon*|*PowerShell*; meta_content:"%sagan%",subscribeNewPartyMember,primaryElectionProces;meta_nocase; threshold: type suppress, track by_username, count 10, seconds 300; classtype: ransomware; reference: url,crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine; sid:5008808; metadata: created_on 2022_11_22, old_sid 5005992; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0 ransomware file extension detected (.micro)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".micro "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008809; metadata: created_on 2022_11_22, old_sid 5006733; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.zepto)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zepto "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008810; metadata: created_on 2022_11_22, old_sid 5006734; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cerber ransomware file extension detected (.cerber)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cerber "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008811; metadata: created_on 2022_11_22, old_sid 5006735; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.locky)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".locky "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008812; metadata: created_on 2022_11_22, old_sid 5006736; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cerber 3 ransomware file extension detected (.cerber3)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cerber3 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008813; metadata: created_on 2022_11_22, old_sid 5006737; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptXXX ransomware file extension detected (.cryp1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cryp1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008814; metadata: created_on 2022_11_22, old_sid 5006738; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoMix (variant) ransomware file extension detected (.mole)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".mole "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008815; metadata: created_on 2022_11_22, old_sid 5006739; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Dharma ransomware file extension detected (.onion)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".onion "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008816; metadata: created_on 2022_11_22, old_sid 5006740; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] AxCrypt file extension detected (.axx)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".axx "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008817; metadata: created_on 2022_11_22, old_sid 5006741; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky (variant) ransomware file extension detected (.osiris)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".osiris "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008818; metadata: created_on 2022_11_22, old_sid 5006742; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptXXX ransomware file extension detected (.crypz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crypz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008819; metadata: created_on 2022_11_22, old_sid 5006743; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Scatter ransomware file extension detected (.crypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008820; metadata: created_on 2022_11_22, old_sid 5006744; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Various ransomware file extension detected (.locked)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".locked "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008821; metadata: created_on 2022_11_22, old_sid 5006745; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.odin)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".odin "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008822; metadata: created_on 2022_11_22, old_sid 5006746; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt or Cryptowall file extension detected (.ccc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ccc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008823; metadata: created_on 2022_11_22, old_sid 5006747; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cerber 2 ransomware file extension detected (.cerber2)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cerber2 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008824; metadata: created_on 2022_11_22, old_sid 5006748; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Sage ransomware file extension detected (.sage)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".sage "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008825; metadata: created_on 2022_11_22, old_sid 5006749; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe ransomware file extension detected (.globe)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".globe "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008826; metadata: created_on 2022_11_22, old_sid 5006750; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha Crypt file extension detected (.exx)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".exx "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008827; metadata: created_on 2022_11_22, old_sid 5006751; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Scatter ransomware file extension detected (.good)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".good "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008828; metadata: created_on 2022_11_22, old_sid 5006752; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe 3 (variant) ransomware file extension detected (.wallet)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".wallet "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008829; metadata: created_on 2022_11_22, old_sid 5006753; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Enigma ransomware file extension detected (.1txt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".1txt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008830; metadata: created_on 2022_11_22, old_sid 5006754; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe 3 ransomware file extension detected (.decrypt2017)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".decrypt2017 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008831; metadata: created_on 2022_11_22, old_sid 5006755; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha ransomware file extension detected (.encrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".encrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008832; metadata: created_on 2022_11_22, old_sid 5006756; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha Crypt virus file extension detected (.ezz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ezz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008833; metadata: created_on 2022_11_22, old_sid 5006757; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.zzzzz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zzzzz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008834; metadata: created_on 2022_11_22, old_sid 5006758; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Merry X-Mas ransomware file extension detected (.MERRY)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".MERRY "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008835; metadata: created_on 2022_11_22, old_sid 5006759; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Malware (ransomware) encoded file extension detected (.enciphered)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".enciphered "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008836; metadata: created_on 2022_11_22, old_sid 5006760; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] 7ev3n ransomware file extension detected (.r5a)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".r5a "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008837; metadata: created_on 2022_11_22, old_sid 5006761; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.aesir)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".aesir "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008838; metadata: created_on 2022_11_22, old_sid 5006762; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptolocker or TeslaCrypt virus file extension detected (.ecc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ecc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008839; metadata: created_on 2022_11_22, old_sid 5006763; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton ransomware file extension detected (.enigma)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".enigma "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008840; metadata: created_on 2022_11_22, old_sid 5006764; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Encrypted file by Cryptowall ransomware extension detected (.cryptowall)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cryptowall "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008841; metadata: created_on 2022_11_22, old_sid 5006765; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Various ransomware file extension detected (.encrypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".encrypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008842; metadata: created_on 2022_11_22, old_sid 5006766; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LOLI RanSomeWare ransomware file extension detected (.loli)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".loli "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008843; metadata: created_on 2022_11_22, old_sid 5006767; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Files1147@gmail(.)com ransomware file extension detected (.breaking_bad)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".breaking_bad "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008844; metadata: created_on 2022_11_22, old_sid 5006768; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Anubis ransomware file extension detected (.coded)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".coded "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008845; metadata: created_on 2022_11_22, old_sid 5006769; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] El-Polocker file extension detected (.ha3)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ha3 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008846; metadata: created_on 2022_11_22, old_sid 5006770; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Damage ransomware file extension detected (.damage)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".damage "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008847; metadata: created_on 2022_11_22, old_sid 5006771; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WannaCry ransomware file extension detected (.wcry)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".wcry "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008848; metadata: created_on 2022_11_22, old_sid 5006772; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] GPCode ransomware file extension detected (.lol!)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".lol!"; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008849; metadata: created_on 2022_11_22, old_sid 5006773; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoLocker file extension detected (.cryptolocker)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cryptolocker "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008850; metadata: created_on 2022_11_22, old_sid 5006774; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CrySiS ransomware file extension detected (.dharma)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".dharma "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008851; metadata: created_on 2022_11_22, old_sid 5006775; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Merry X-Mas ransomware file extension detected (.MRCR1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".MRCR1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008852; metadata: created_on 2022_11_22, old_sid 5006776; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PayDay ransomware files extension detected (.sexy)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".sexy "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008853; metadata: created_on 2022_11_22, old_sid 5006777; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoJoker ransomware file extension detected (.crjoker)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crjoker "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008854; metadata: created_on 2022_11_22, old_sid 5006778; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Fantom ransomware file extension detected (.fantom)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".fantom "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008855; metadata: created_on 2022_11_22, old_sid 5006779; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeyBTC ransomware file extension detected (.keybtc@inbox_com)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".keybtc@inbox_com"; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008856; metadata: created_on 2022_11_22, old_sid 5006780; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Radamant v2 ransomware file extension detected (.rrk)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rrk "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008857; metadata: created_on 2022_11_22, old_sid 5006781; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Legion ransomware file extension detected (.legion)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".legion "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008858; metadata: created_on 2022_11_22, old_sid 5006782; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KratosCrypt ransomware file extension detected (.kratos)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kratos "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008859; metadata: created_on 2022_11_22, old_sid 5006783; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LeChiffre ransomware file extension detected (.LeChiffre)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".LeChiffre "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008860; metadata: created_on 2022_11_22, old_sid 5006784; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Rakhni ransomware file extension detected (.kraken)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kraken "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008861; metadata: created_on 2022_11_22, old_sid 5006785; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] ZCRYPT ransomware file extension detected (.zcrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zcrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008862; metadata: created_on 2022_11_22, old_sid 5006786; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] HiddenTear (variant) ransomware file extension detected (.maya)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".maya "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008863; metadata: created_on 2022_11_22, old_sid 5006787; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TorrentLocker ransomware file extension detected (.enc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".enc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008864; metadata: created_on 2022_11_22, old_sid 5006788; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Evil ransomware file extension detected (.file0locked)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".file0locked "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008865; metadata: created_on 2022_11_22, old_sid 5006789; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] DecryptorMax or CryptInfinite ransomware file extension detected (.crinf)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crinf "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008866; metadata: created_on 2022_11_22, old_sid 5006790; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Serpent (variant) ransomware file extension detected (.serp)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".serp "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008867; metadata: created_on 2022_11_22, old_sid 5006791; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Potato ransomware file extension detected (.potato)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".potato "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008868; metadata: created_on 2022_11_22, old_sid 5006792; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Troldesh (variant) ransomware file extension detected (.ytbl)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ytbl "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008869; metadata: created_on 2022_11_22, old_sid 5006793; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Surprise ransomware file extension detected (.surprise)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".surprise "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008870; metadata: created_on 2022_11_22, old_sid 5006794; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Angela Merkel ransomware file extension detected (.angelamerkel)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".angelamerkel "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008871; metadata: created_on 2022_11_22, old_sid 5006795; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Shade ransomware file extension detected (.windows10)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".windows10 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008872; metadata: created_on 2022_11_22, old_sid 5006796; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoMix ransomware file extension detected (.lesli)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".lesli "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008873; metadata: created_on 2022_11_22, old_sid 5006797; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Serpent ransomware file extension detected (.serpent)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".serpent "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008874; metadata: created_on 2022_11_22, old_sid 5006798; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Merry X-Mas ransomware file extension detected (.PEGS1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".PEGS1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008875; metadata: created_on 2022_11_22, old_sid 5006799; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Chip ransomware file extension detected (.dale)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".dale "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008876; metadata: created_on 2022_11_22, old_sid 5006800; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PadCrypt Ransomware script extension detected (.pdcr)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".pdcr "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008877; metadata: created_on 2022_11_22, old_sid 5006801; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware file extension detected (.zzz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zzz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008878; metadata: created_on 2022_11_22, old_sid 5006802; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware file extension detected (.xyz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".xyz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008879; metadata: created_on 2022_11_22, old_sid 5006803; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Princess Locker ransomware file extension detected (.1cbu1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".1cbu1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008880; metadata: created_on 2022_11_22, old_sid 5006804; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Venus Locker ransomware file extension detected (.venusf)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".venusf "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008881; metadata: created_on 2022_11_22, old_sid 5006805; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton ransomware file extension detected (.coverton)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".coverton "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008882; metadata: created_on 2022_11_22, old_sid 5006806; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.thor)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".thor "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008883; metadata: created_on 2022_11_22, old_sid 5006807; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Gremit ransomware file extension detected (.rnsmwr)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rnsmwr "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008884; metadata: created_on 2022_11_22, old_sid 5006808; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Evil-JS (variant) ransomware file extension detected (.evillock)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".evillock "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008885; metadata: created_on 2022_11_22, old_sid 5006809; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Ransomware file extension detected (.R16m01d05)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".R16m01d05 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008886; metadata: created_on 2022_11_22, old_sid 5006810; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WildFire ransomware file extension detected (.wflx)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".wflx "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008887; metadata: created_on 2022_11_22, old_sid 5006811; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Nuke ransomware file extension detected (.nuclear55)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".nuclear55 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008888; metadata: created_on 2022_11_22, old_sid 5006812; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Rakhni ransomware file extension detected (.darkness)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".darkness "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008889; metadata: created_on 2022_11_22, old_sid 5006813; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] FileLocker ransomware file extension detected (.encr)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".encr "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008890; metadata: created_on 2022_11_22, old_sid 5006814; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] HiddenTear (variant) ransomware file extension detected (.rekt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rekt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008891; metadata: created_on 2022_11_22, old_sid 5006815; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeRanger OS X ransomware extension detected (.kernel_time)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kernel_time "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008892; metadata: created_on 2022_11_22, old_sid 5006816; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] ZYKLON ransomware file extension detected (.zyklon)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zyklon "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008893; metadata: created_on 2022_11_22, old_sid 5006817; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Troldesh (variant) ransomware file extension detected (.Dexter)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".Dexter "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008894; metadata: created_on 2022_11_22, old_sid 5006818; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LockLock ransomware file extension detected (.locklock)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".locklock "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008895; metadata: created_on 2022_11_22, old_sid 5006819; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryLocker ransomware file extension detected (.cry)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cry "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008896; metadata: created_on 2022_11_22, old_sid 5006820; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samsam (variant) ransomware file extension detected (.VforVendetta)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".VforVendetta "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008897; metadata: created_on 2022_11_22, old_sid 5006821; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.btc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".btc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008898; metadata: created_on 2022_11_22, old_sid 5006822; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe [variant] ransomware file extension detected (.raid10)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".raid10 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008899; metadata: created_on 2022_11_22, old_sid 5006823; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] DummyLocker ransomware file extension detected (.dCrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".dCrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008900; metadata: created_on 2022_11_22, old_sid 5006824; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zorro ransomware file extension detected (.zorro)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zorro "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008901; metadata: created_on 2022_11_22, old_sid 5006825; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] HiddenTear/MafiaWare (variant) ransomware file extension detected (.AngleWare)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".AngleWare "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008902; metadata: created_on 2022_11_22, old_sid 5006826; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist Ransomware file extension detected (.EnCiPhErEd)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".EnCiPhErEd "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008903; metadata: created_on 2022_11_22, old_sid 5006827; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe ransomware file extension detected (.purge)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".purge "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008904; metadata: created_on 2022_11_22, old_sid 5006828; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Fsociety ransomware file extension detected (.realfs0ciety@sigaint.org.fs0ciety)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".realfs0ciety@sigaint.org.fs0ciety"; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008905; metadata: created_on 2022_11_22, old_sid 5006829; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.shit)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".shit "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008906; metadata: created_on 2022_11_22, old_sid 5006830; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Atlas ransomware file extension detected (.atlas)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".atlas "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008907; metadata: created_on 2022_11_22, old_sid 5006831; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Exotic ransomware file extension detected (.exotic)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".exotic "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008908; metadata: created_on 2022_11_22, old_sid 5006832; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Nemucod ransomware file extension detected (.crypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008909; metadata: created_on 2022_11_22, old_sid 5006833; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PadCrypt ransomware file extension detected (.padcrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".padcrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008910; metadata: created_on 2022_11_22, old_sid 5006834; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0 ransomware file extension detected (.xxx)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".xxx "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008911; metadata: created_on 2022_11_22, old_sid 5006835; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw ransomware file extension detected (.hush)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".hush "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008912; metadata: created_on 2022_11_22, old_sid 5006836; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha/Alfa ransomware file extension detected (.bin)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".bin "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008913; metadata: created_on 2022_11_22, old_sid 5006837; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] VBRansom 7 ransomware file extension detected (.vbransom)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".vbransom "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008914; metadata: created_on 2022_11_22, old_sid 5006838; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Merry X-Mas ransomware file extension detected (.RMCM1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".RMCM1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008915; metadata: created_on 2022_11_22, old_sid 5006839; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] DoubleLocker ransomware file extension detected (.cryeye)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cryeye "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008916; metadata: created_on 2022_11_22, old_sid 5006840; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Al-Namrood ransomware file extension detected (.unavailable)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".unavailable "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008917; metadata: created_on 2022_11_22, old_sid 5006841; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Braincrypt ransomware file extension detected (.braincrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".braincrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008918; metadata: created_on 2022_11_22, old_sid 5006842; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Manifestus ransomware file extension detected (.fucked)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".fucked "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008919; metadata: created_on 2022_11_22, old_sid 5006843; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw (variant) ransomware file extension detected (.crypte)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crypte "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008920; metadata: created_on 2022_11_22, old_sid 5006844; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] AiraCrop Ransomware affecte file extension detected (._AiraCropEncrypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:"._AiraCropEncrypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008921; metadata: created_on 2022_11_22, old_sid 5006845; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Satan ransomware file extension detected (.stn)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".stn "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008922; metadata: created_on 2022_11_22, old_sid 5006846; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.paym)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".paym "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008923; metadata: created_on 2022_11_22, old_sid 5006847; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Spora ransomware file extension detected (.spora)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".spora "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008924; metadata: created_on 2022_11_22, old_sid 5006848; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] FSociety ransomware file extension detected (.dll)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".dll "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008925; metadata: created_on 2022_11_22, old_sid 5006849; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Merry X-Mas ransomware file extension detected (.RARE1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".RARE1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008926; metadata: created_on 2022_11_22, old_sid 5006850; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alcatraz Locker ransomware file extension detected (.alcatraz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".alcatraz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008927; metadata: created_on 2022_11_22, old_sid 5006851; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Scatter ransomware file extension detected (.pzdc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".pzdc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008928; metadata: created_on 2022_11_22, old_sid 5006852; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware file extension detected (.aaa)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".aaa "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008929; metadata: created_on 2022_11_22, old_sid 5006853; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Donald Trump ransomware file extension detected (.encrypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".encrypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008930; metadata: created_on 2022_11_22, old_sid 5006854; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0 ransomware file extension detected (.ttt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ttt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008931; metadata: created_on 2022_11_22, old_sid 5006855; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] ODCODC ransomware file extension detected (.odcodc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".odcodc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008932; metadata: created_on 2022_11_22, old_sid 5006856; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0 ransomware file extension detected (.vvv)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".vvv "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008933; metadata: created_on 2022_11_22, old_sid 5006857; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Ruby ransomware file extension detected (.ruby)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ruby "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008934; metadata: created_on 2022_11_22, old_sid 5006858; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.pays)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".pays "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008935; metadata: created_on 2022_11_22, old_sid 5006859; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Comrade ransomware file extension detected (.comrade)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".comrade "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008936; metadata: created_on 2022_11_22, old_sid 5006860; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptorium ransomware file extension detected (.enc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".enc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008937; metadata: created_on 2022_11_22, old_sid 5006861; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware file extension detected (.abc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".abc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008938; metadata: created_on 2022_11_22, old_sid 5006862; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] help_dcfile ransomware file extension detected (.xxx)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".xxx "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008939; metadata: created_on 2022_11_22, old_sid 5006863; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist (variant) Ransomware file extension detected (.antihacker2017)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".antihacker2017 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008940; metadata: created_on 2022_11_22, old_sid 5006864; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Herbst ransomware affacted file extension detected (.herbst)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".herbst "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008941; metadata: created_on 2022_11_22, old_sid 5006865; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] SZFLocker ransomware file extension detected (.szf)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".szf "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008942; metadata: created_on 2022_11_22, old_sid 5006866; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] RektLocker ransomware file extension detected (.rekt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rekt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008943; metadata: created_on 2022_11_22, old_sid 5006867; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] BadEncriptor ransomware file extension detected (.bript)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".bript "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008944; metadata: created_on 2022_11_22, old_sid 5006868; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoRoger ransomware file extension detected (.crptrgr)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crptrgr "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008945; metadata: created_on 2022_11_22, old_sid 5006869; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.kkk)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kkk "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008946; metadata: created_on 2022_11_22, old_sid 5006870; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Radamant ransomware file extension detected (.rdm)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rdm "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008947; metadata: created_on 2022_11_22, old_sid 5006871; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] BarRax (HiddenTear variant) ransomware file extension detected (.BarRax)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".BarRax "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008948; metadata: created_on 2022_11_22, old_sid 5006872; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Vindows Locker ransomware file extension detected (.vindows)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".vindows "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008949; metadata: created_on 2022_11_22, old_sid 5006873; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas/SamSam ransomware file extension detected (.helpmeencedfiles)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".helpmeencedfiles "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008950; metadata: created_on 2022_11_22, old_sid 5006874; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe 3 ransomware file extension detected (.hnumkhotep)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".hnumkhotep "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008951; metadata: created_on 2022_11_22, old_sid 5006875; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Unlock92 ransomware file extension detected (.CCCRRRPPP)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".CCCRRRPPP "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008952; metadata: created_on 2022_11_22, old_sid 5006876; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe ransomware file extension detected (.kyra)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kyra "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008953; metadata: created_on 2022_11_22, old_sid 5006877; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.fun)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".fun "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008954; metadata: created_on 2022_11_22, old_sid 5006878; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KillLocker ransomware file extension detected (.rip)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rip "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008955; metadata: created_on 2022_11_22, old_sid 5006879; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist Ransomware file extension detected (.73i87A)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".73i87A "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008956; metadata: created_on 2022_11_22, old_sid 5006880; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Bitstak ransomware file extension detected (.bitstak)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".bitstak "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008957; metadata: created_on 2022_11_22, old_sid 5006881; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeRanger OS X ransomware file extension detected (.kernel_complete)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kernel_complete "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008958; metadata: created_on 2022_11_22, old_sid 5006882; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.payrms)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".payrms "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008959; metadata: created_on 2022_11_22, old_sid 5006883; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alma Locker ransomware file extension detected (.a5zfn)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".a5zfn "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008960; metadata: created_on 2022_11_22, old_sid 5006884; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Bart ransomware file extension detected (.perl)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".perl "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008961; metadata: created_on 2022_11_22, old_sid 5006885; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas/SamSam ransomware file extension detected (.noproblemwedecfiles​)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".noproblemwedecfiles​"; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008962; metadata: created_on 2022_11_22, old_sid 5006886; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw (variant) ransomware file extension detected (.lcked)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".lcked "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008963; metadata: created_on 2022_11_22, old_sid 5006887; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist Ransomware file extension detected (.p5tkjw)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".p5tkjw "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008964; metadata: created_on 2022_11_22, old_sid 5006888; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.paymst)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".paymst "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008965; metadata: created_on 2022_11_22, old_sid 5006889; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Magic ransomware file extension detected (.magic)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".magic "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008966; metadata: created_on 2022_11_22, old_sid 5006890; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.payms)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".payms "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008967; metadata: created_on 2022_11_22, old_sid 5006891; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PyL33T ransomware file extension detected (.d4nk)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".d4nk "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008968; metadata: created_on 2022_11_22, old_sid 5006892; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Apocalypse ransomware file extension detected (.SecureCrypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".SecureCrypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008969; metadata: created_on 2022_11_22, old_sid 5006893; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.paymts)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".paymts "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008970; metadata: created_on 2022_11_22, old_sid 5006894; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Kostya ransomware file extension detected (.kostya)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kostya "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008971; metadata: created_on 2022_11_22, old_sid 5006895; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe (variant) ransomware file extension detected (.lovewindows)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".lovewindows "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008972; metadata: created_on 2022_11_22, old_sid 5006896; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Roga ransomware file extension detected (.madebyadam)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".madebyadam "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008973; metadata: created_on 2022_11_22, old_sid 5006897; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas/SamSam ransomware file extension detected (.powerfulldecrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".powerfulldecrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008974; metadata: created_on 2022_11_22, old_sid 5006898; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw (variant) ransomware file extension detected (.gefickt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".gefickt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008975; metadata: created_on 2022_11_22, old_sid 5006899; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeRanger OS X ransomware file extension detected (.kernel_pid)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kernel_pid "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008976; metadata: created_on 2022_11_22, old_sid 5006900; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] SerbRansom ransomware file extension detected (.ifuckedyou)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ifuckedyou "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008977; metadata: created_on 2022_11_22, old_sid 5006901; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Karmen HiddenTear (variant) ransomware file extension detected (.grt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".grt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008978; metadata: created_on 2022_11_22, old_sid 5006902; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Conficker ransomware file extension detected (.conficker)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".conficker "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008979; metadata: created_on 2022_11_22, old_sid 5006903; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] EdgeLocker ransomware file extension detected (.edgel)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".edgel "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008980; metadata: created_on 2022_11_22, old_sid 5006904; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist Ransomware file extension detected (.PoAr2w)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".PoAr2w "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008981; metadata: created_on 2022_11_22, old_sid 5006905; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Marlboro ransomware file extension detected (.oops)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".oops "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008982; metadata: created_on 2022_11_22, old_sid 5006906; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Angry Duck ransomware file extension detected (.adk)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".adk "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008983; metadata: created_on 2022_11_22, old_sid 5006907; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeRanger OS X ransomware file extension detected (.encrypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".encrypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008984; metadata: created_on 2022_11_22, old_sid 5006908; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas/SamSam ransomware file extension detected (.Whereisyourfiles)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".Whereisyourfiles "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008985; metadata: created_on 2022_11_22, old_sid 5006909; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton ransomware file extension detected (.czvxce)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".czvxce "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008986; metadata: created_on 2022_11_22, old_sid 5006910; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas/SamSam ransomware file extension detected (.theworldisyours)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".theworldisyours "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008987; metadata: created_on 2022_11_22, old_sid 5006911; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PizzaCrypts Ransomware file extension detected (.info)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".info "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008988; metadata: created_on 2022_11_22, old_sid 5006912; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Razy ransomware file extension detected (.razy)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".razy "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008989; metadata: created_on 2022_11_22, old_sid 5006913; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zeta ransomware file extension detected (.rmd)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rmd "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008990; metadata: created_on 2022_11_22, old_sid 5006914; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw (variant) ransomware file extension detected (.fun)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".fun "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008991; metadata: created_on 2022_11_22, old_sid 5006915; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KimcilWare ransomware file extension detected (.kimcilware)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kimcilware "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008992; metadata: created_on 2022_11_22, old_sid 5006916; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.paymrss)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".paymrss "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008993; metadata: created_on 2022_11_22, old_sid 5006917; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] DXXD ransomware file extension detected (.dxxd)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".dxxd "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008994; metadata: created_on 2022_11_22, old_sid 5006918; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PEC 2017 ransomware file extension detected (.pec)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".pec "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008995; metadata: created_on 2022_11_22, old_sid 5006919; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Rokku ransomware file extension detected (.rokku)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rokku "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008996; metadata: created_on 2022_11_22, old_sid 5006920; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Lock93 ransomware file extension detected (.lock93)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".lock93 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008997; metadata: created_on 2022_11_22, old_sid 5006921; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] vxLock ransomware file extension detected (.vxlock)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".vxlock "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008998; metadata: created_on 2022_11_22, old_sid 5006922; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PUBG ransomware file extension detected (.pubg)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".pubg "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5008999; metadata: created_on 2022_11_22, old_sid 5006923; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] GandCrab ransomware file extension detected (.crab)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crab "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009000; metadata: created_on 2022_11_22, old_sid 5006924; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0 ransomware file extension detected (.micro)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".micro "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009001; metadata: created_on 2022_11_22, old_sid 5006925; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.zepto)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zepto "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009002; metadata: created_on 2022_11_22, old_sid 5006926; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LOLI RanSomeWare ransomware file extension detected (.loli)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".loli "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009003; metadata: created_on 2022_11_22, old_sid 5006927; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cerber 3 ransomware file extension detected (.cerber3)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cerber3 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009004; metadata: created_on 2022_11_22, old_sid 5006928; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.locky)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".locky "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009005; metadata: created_on 2022_11_22, old_sid 5006929; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] AxCrypt file extension detected (.axx)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".axx "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009006; metadata: created_on 2022_11_22, old_sid 5006930; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cerber ransomware file extension detected (.cerber)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cerber "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009007; metadata: created_on 2022_11_22, old_sid 5006931; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoMix (variant) ransomware file extension detected (.mole)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".mole "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009008; metadata: created_on 2022_11_22, old_sid 5006932; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Dharma ransomware file extension detected (.onion)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".onion "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009009; metadata: created_on 2022_11_22, old_sid 5006933; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Scatter ransomware file extension detected (.crypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009010; metadata: created_on 2022_11_22, old_sid 5006934; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptXXX ransomware file extension detected (.cryp1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cryp1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009011; metadata: created_on 2022_11_22, old_sid 5006935; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky (variant) ransomware file extension detected (.osiris)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".osiris "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009012; metadata: created_on 2022_11_22, old_sid 5006936; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptXXX ransomware file extension detected (.crypz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crypz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009013; metadata: created_on 2022_11_22, old_sid 5006937; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt or Cryptowall file extension detected (.ccc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ccc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009014; metadata: created_on 2022_11_22, old_sid 5006938; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Various ransomware file extension detected (.locked)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".locked "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009015; metadata: created_on 2022_11_22, old_sid 5006939; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.odin)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".odin "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009016; metadata: created_on 2022_11_22, old_sid 5006940; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cerber 2 ransomware file extension detected (.cerber2)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cerber2 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009017; metadata: created_on 2022_11_22, old_sid 5006941; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PUBG ransomware file extension detected (.pubg)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".pubg "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009018; metadata: created_on 2022_11_22, old_sid 5006942; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe ransomware file extension detected (.globe)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".globe "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009019; metadata: created_on 2022_11_22, old_sid 5006943; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha ransomware file extension detected (.encrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".encrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009020; metadata: created_on 2022_11_22, old_sid 5006944; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Sage ransomware file extension detected (.sage)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".sage "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009021; metadata: created_on 2022_11_22, old_sid 5006945; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha Crypt file extension detected (.exx)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".exx "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009022; metadata: created_on 2022_11_22, old_sid 5006946; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Various ransomware file extension detected (.encrypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".encrypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009023; metadata: created_on 2022_11_22, old_sid 5006947; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Scatter ransomware file extension detected (.good)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".good "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009024; metadata: created_on 2022_11_22, old_sid 5006948; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PayDay ransomware files extension detected (.sexy)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".sexy "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009025; metadata: created_on 2022_11_22, old_sid 5006949; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha Crypt virus file extension detected (.ezz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ezz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009026; metadata: created_on 2022_11_22, old_sid 5006950; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] 7ev3n ransomware file extension detected (.r5a)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".r5a "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009027; metadata: created_on 2022_11_22, old_sid 5006951; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Enigma ransomware file extension detected (.1txt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".1txt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009028; metadata: created_on 2022_11_22, old_sid 5006952; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Malware (ransomware) encoded file extension detected (.enciphered)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".enciphered "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009029; metadata: created_on 2022_11_22, old_sid 5006953; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Anubis ransomware file extension detected (.coded)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".coded "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009030; metadata: created_on 2022_11_22, old_sid 5006954; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Encrypted file by Cryptowall ransomware extension detected (.cryptowall)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cryptowall "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009031; metadata: created_on 2022_11_22, old_sid 5006955; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton ransomware file extension detected (.enigma)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".enigma "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009032; metadata: created_on 2022_11_22, old_sid 5006956; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe 3 (variant) ransomware file extension detected (.wallet)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".wallet "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009033; metadata: created_on 2022_11_22, old_sid 5006957; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptolocker or TeslaCrypt virus file extension detected (.ecc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ecc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009034; metadata: created_on 2022_11_22, old_sid 5006958; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Merry X-Mas ransomware file extension detected (.MERRY)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".MERRY "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009035; metadata: created_on 2022_11_22, old_sid 5006959; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.zzzzz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zzzzz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009036; metadata: created_on 2022_11_22, old_sid 5006960; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Fantom ransomware file extension detected (.fantom)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".fantom "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009037; metadata: created_on 2022_11_22, old_sid 5006961; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe 3 ransomware file extension detected (.decrypt2017)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".decrypt2017 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009038; metadata: created_on 2022_11_22, old_sid 5006962; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoLocker file extension detected (.cryptolocker)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cryptolocker "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009039; metadata: created_on 2022_11_22, old_sid 5006963; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.aesir)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".aesir "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009040; metadata: created_on 2022_11_22, old_sid 5006964; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Files1147@gmail(.)com ransomware file extension detected (.breaking_bad)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".breaking_bad "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009041; metadata: created_on 2022_11_22, old_sid 5006965; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] El-Polocker file extension detected (.ha3)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ha3 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009042; metadata: created_on 2022_11_22, old_sid 5006966; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Damage ransomware file extension detected (.damage)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".damage "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009043; metadata: created_on 2022_11_22, old_sid 5006967; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WannaCry ransomware file extension detected (.wcry)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".wcry "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009044; metadata: created_on 2022_11_22, old_sid 5006968; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] GPCode ransomware file extension detected (.lol!)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".lol!"; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009045; metadata: created_on 2022_11_22, old_sid 5006969; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CrySiS ransomware file extension detected (.dharma)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".dharma "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009046; metadata: created_on 2022_11_22, old_sid 5006970; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Deadbolt ransomware file extension detected (.deadbolt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".deadbolt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009047; metadata: created_on 2022_11_22, old_sid 5006971; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Legion ransomware file extension detected (.legion)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".legion "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009048; metadata: created_on 2022_11_22, old_sid 5006972; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KratosCrypt ransomware file extension detected (.kratos)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kratos "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009049; metadata: created_on 2022_11_22, old_sid 5006973; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Merry X-Mas ransomware file extension detected (.MRCR1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".MRCR1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009050; metadata: created_on 2022_11_22, old_sid 5006974; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Radamant v2 ransomware file extension detected (.rrk)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rrk "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009051; metadata: created_on 2022_11_22, old_sid 5006975; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] HiddenTear (variant) ransomware file extension detected (.maya)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".maya "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009052; metadata: created_on 2022_11_22, old_sid 5006976; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoJoker ransomware file extension detected (.crjoker)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crjoker "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009053; metadata: created_on 2022_11_22, old_sid 5006977; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Shade ransomware file extension detected (.windows10)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".windows10 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009054; metadata: created_on 2022_11_22, old_sid 5006978; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LeChiffre ransomware file extension detected (.LeChiffre)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".LeChiffre "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009055; metadata: created_on 2022_11_22, old_sid 5006979; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Rakhni ransomware file extension detected (.kraken)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kraken "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009056; metadata: created_on 2022_11_22, old_sid 5006980; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Serpent (variant) ransomware file extension detected (.serp)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".serp "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009057; metadata: created_on 2022_11_22, old_sid 5006981; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeyBTC ransomware file extension detected (.keybtc@inbox_com)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".keybtc@inbox_com"; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009058; metadata: created_on 2022_11_22, old_sid 5006982; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] ZCRYPT ransomware file extension detected (.zcrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zcrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009059; metadata: created_on 2022_11_22, old_sid 5006983; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TorrentLocker ransomware file extension detected (.enc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".enc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009060; metadata: created_on 2022_11_22, old_sid 5006984; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] DecryptorMax or CryptInfinite ransomware file extension detected (.crinf)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crinf "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009061; metadata: created_on 2022_11_22, old_sid 5006985; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Surprise ransomware file extension detected (.surprise)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".surprise "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009062; metadata: created_on 2022_11_22, old_sid 5006986; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Troldesh (variant) ransomware file extension detected (.ytbl)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ytbl "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009063; metadata: created_on 2022_11_22, old_sid 5006987; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0 ransomware file extension detected (.mp3)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".mp3 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009064; metadata: created_on 2022_11_22, old_sid 5006988; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PadCrypt Ransomware script extension detected (.pdcr)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".pdcr "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009065; metadata: created_on 2022_11_22, old_sid 5006989; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Evil ransomware file extension detected (.file0locked)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".file0locked "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009066; metadata: created_on 2022_11_22, old_sid 5006990; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Chip ransomware file extension detected (.dale)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".dale "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009067; metadata: created_on 2022_11_22, old_sid 5006991; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Venus Locker ransomware file extension detected (.venusf)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".venusf "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009068; metadata: created_on 2022_11_22, old_sid 5006992; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Potato ransomware file extension detected (.potato)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".potato "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009069; metadata: created_on 2022_11_22, old_sid 5006993; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware file extension detected (.zzz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zzz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009070; metadata: created_on 2022_11_22, old_sid 5006994; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Angela Merkel ransomware file extension detected (.angelamerkel)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".angelamerkel "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009071; metadata: created_on 2022_11_22, old_sid 5006995; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoMix ransomware file extension detected (.lesli)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".lesli "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009072; metadata: created_on 2022_11_22, old_sid 5006996; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Merry X-Mas ransomware file extension detected (.PEGS1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".PEGS1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009073; metadata: created_on 2022_11_22, old_sid 5006997; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Ransomware file extension detected (.R16m01d05)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".R16m01d05 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009074; metadata: created_on 2022_11_22, old_sid 5006998; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WildFire ransomware file extension detected (.wflx)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".wflx "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009075; metadata: created_on 2022_11_22, old_sid 5006999; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] STOP Ransomware variant extension detected (.remk)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".remk "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009076; metadata: created_on 2022_11_22, old_sid 5007000; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Serpent ransomware file extension detected (.serpent)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".serpent "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009077; metadata: created_on 2022_11_22, old_sid 5007001; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Troldesh (variant) ransomware file extension detected (.Dexter)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".Dexter "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009078; metadata: created_on 2022_11_22, old_sid 5007002; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Rakhni ransomware file extension detected (.darkness)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".darkness "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009079; metadata: created_on 2022_11_22, old_sid 5007003; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware file extension detected (.xyz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".xyz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009080; metadata: created_on 2022_11_22, old_sid 5007004; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Gremit ransomware file extension detected (.rnsmwr)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rnsmwr "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009081; metadata: created_on 2022_11_22, old_sid 5007005; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LockLock ransomware file extension detected (.locklock)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".locklock "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009082; metadata: created_on 2022_11_22, old_sid 5007006; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] FileLocker ransomware file extension detected (.encr)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".encr "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009083; metadata: created_on 2022_11_22, old_sid 5007007; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.thor)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".thor "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009084; metadata: created_on 2022_11_22, old_sid 5007008; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Nuke ransomware file extension detected (.nuclear55)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".nuclear55 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009085; metadata: created_on 2022_11_22, old_sid 5007009; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeRanger OS X ransomware extension detected (.kernel_time)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kernel_time "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009086; metadata: created_on 2022_11_22, old_sid 5007010; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Evil-JS (variant) ransomware file extension detected (.evillock)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".evillock "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009087; metadata: created_on 2022_11_22, old_sid 5007011; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton ransomware file extension detected (.coverton)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".coverton "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009088; metadata: created_on 2022_11_22, old_sid 5007012; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] HiddenTear (variant) ransomware file extension detected (.rekt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rekt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009089; metadata: created_on 2022_11_22, old_sid 5007013; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0 ransomware file extension detected (.xxx)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".xxx "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009090; metadata: created_on 2022_11_22, old_sid 5007014; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Princess Locker ransomware file extension detected (.1cbu1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".1cbu1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009091; metadata: created_on 2022_11_22, old_sid 5007015; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe ransomware file extension detected (.purge)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".purge "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009092; metadata: created_on 2022_11_22, old_sid 5007016; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryLocker ransomware file extension detected (.cry)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cry "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009093; metadata: created_on 2022_11_22, old_sid 5007017; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Derp ransomware renamed file extension detected (.derp)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".derp "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009094; metadata: created_on 2022_11_22, old_sid 5007018; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samsam (variant) ransomware file extension detected (.VforVendetta)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".VforVendetta "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009095; metadata: created_on 2022_11_22, old_sid 5007019; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] ZYKLON ransomware file extension detected (.zyklon)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zyklon "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009096; metadata: created_on 2022_11_22, old_sid 5007020; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] DummyLocker ransomware file extension detected (.dCrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".dCrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009097; metadata: created_on 2022_11_22, old_sid 5007021; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe [variant] ransomware file extension detected (.raid10)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".raid10 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009098; metadata: created_on 2022_11_22, old_sid 5007022; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zorro ransomware file extension detected (.zorro)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".zorro "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009099; metadata: created_on 2022_11_22, old_sid 5007023; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha/Alfa ransomware file extension detected (.bin)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".bin "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009100; metadata: created_on 2022_11_22, old_sid 5007024; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] HiddenTear/MafiaWare (variant) ransomware file extension detected (.AngleWare)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".AngleWare "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009101; metadata: created_on 2022_11_22, old_sid 5007025; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware file extension detected (.shit)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".shit "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009102; metadata: created_on 2022_11_22, old_sid 5007026; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.btc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".btc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009103; metadata: created_on 2022_11_22, old_sid 5007027; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Manifestus ransomware file extension detected (.fucked)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".fucked "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009104; metadata: created_on 2022_11_22, old_sid 5007028; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist Ransomware file extension detected (.EnCiPhErEd)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".EnCiPhErEd "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009105; metadata: created_on 2022_11_22, old_sid 5007029; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Exotic ransomware file extension detected (.exotic)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".exotic "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009106; metadata: created_on 2022_11_22, old_sid 5007030; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Fsociety ransomware file extension detected (.realfs0ciety@sigaint.org.fs0ciety)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".realfs0ciety@sigaint.org.fs0ciety"; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009107; metadata: created_on 2022_11_22, old_sid 5007031; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Atlas ransomware file extension detected (.atlas)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".atlas "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009108; metadata: created_on 2022_11_22, old_sid 5007032; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] VBRansom 7 ransomware file extension detected (.vbransom)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".vbransom "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009109; metadata: created_on 2022_11_22, old_sid 5007033; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Nemucod ransomware file extension detected (.crypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009110; metadata: created_on 2022_11_22, old_sid 5007034; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PadCrypt ransomware file extension detected (.padcrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".padcrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009111; metadata: created_on 2022_11_22, old_sid 5007035; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] FSociety ransomware file extension detected (.dll)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".dll "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009112; metadata: created_on 2022_11_22, old_sid 5007036; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Al-Namrood ransomware file extension detected (.unavailable)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".unavailable "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009113; metadata: created_on 2022_11_22, old_sid 5007037; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] DoubleLocker ransomware file extension detected (.cryeye)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".cryeye "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009114; metadata: created_on 2022_11_22, old_sid 5007038; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0 ransomware file extension detected (.vvv)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".vvv "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009115; metadata: created_on 2022_11_22, old_sid 5007039; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw ransomware file extension detected (.hush)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".hush "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009116; metadata: created_on 2022_11_22, old_sid 5007040; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] GandCrab ransomware file extension detected (.crab)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crab "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009117; metadata: created_on 2022_11_22, old_sid 5007041; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptorium ransomware file extension detected (.enc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".enc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009118; metadata: created_on 2022_11_22, old_sid 5007042; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0 ransomware file extension detected (.ttt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ttt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009119; metadata: created_on 2022_11_22, old_sid 5007043; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.paym)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".paym "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009120; metadata: created_on 2022_11_22, old_sid 5007044; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Merry X-Mas ransomware file extension detected (.RMCM1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".RMCM1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009121; metadata: created_on 2022_11_22, old_sid 5007045; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] help_dcfile ransomware file extension detected (.xxx)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".xxx "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009122; metadata: created_on 2022_11_22, old_sid 5007046; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Satan ransomware file extension detected (.stn)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".stn "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009123; metadata: created_on 2022_11_22, old_sid 5007047; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] STOP/DJVU ransomware file extension detected (.reco)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".reco "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009124; metadata: created_on 2022_11_22, old_sid 5007048; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] AiraCrop Ransomware affecte file extension detected (._AiraCropEncrypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:"._AiraCropEncrypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009125; metadata: created_on 2022_11_22, old_sid 5007049; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Spora ransomware file extension detected (.spora)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".spora "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009126; metadata: created_on 2022_11_22, old_sid 5007050; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoRoger ransomware file extension detected (.crptrgr)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crptrgr "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009127; metadata: created_on 2022_11_22, old_sid 5007051; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware file extension detected (.abc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".abc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009128; metadata: created_on 2022_11_22, old_sid 5007052; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware file extension detected (.aaa)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".aaa "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009129; metadata: created_on 2022_11_22, old_sid 5007053; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Donald Trump ransomware file extension detected (.encrypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".encrypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009130; metadata: created_on 2022_11_22, old_sid 5007054; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Ruby ransomware file extension detected (.ruby)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ruby "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009131; metadata: created_on 2022_11_22, old_sid 5007055; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist Ransomware file extension detected (.73i87A)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".73i87A "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009132; metadata: created_on 2022_11_22, old_sid 5007056; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Braincrypt ransomware file extension detected (.braincrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".braincrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009133; metadata: created_on 2022_11_22, old_sid 5007057; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw (variant) ransomware file extension detected (.crypte)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".crypte "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009134; metadata: created_on 2022_11_22, old_sid 5007058; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alcatraz Locker ransomware file extension detected (.alcatraz)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".alcatraz "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009135; metadata: created_on 2022_11_22, old_sid 5007059; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Scatter ransomware file extension detected (.pzdc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".pzdc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009136; metadata: created_on 2022_11_22, old_sid 5007060; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.fun)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".fun "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009137; metadata: created_on 2022_11_22, old_sid 5007061; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] RektLocker ransomware file extension detected (.rekt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rekt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009138; metadata: created_on 2022_11_22, old_sid 5007062; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Merry X-Mas ransomware file extension detected (.RARE1)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".RARE1 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009139; metadata: created_on 2022_11_22, old_sid 5007063; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] ODCODC ransomware file extension detected (.odcodc)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".odcodc "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009140; metadata: created_on 2022_11_22, old_sid 5007064; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.pays)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".pays "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009141; metadata: created_on 2022_11_22, old_sid 5007065; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] SZFLocker ransomware file extension detected (.szf)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".szf "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009142; metadata: created_on 2022_11_22, old_sid 5007066; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Herbst ransomware affacted file extension detected (.herbst)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".herbst "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009143; metadata: created_on 2022_11_22, old_sid 5007067; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Unlock92 ransomware file extension detected (.CCCRRRPPP)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".CCCRRRPPP "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009144; metadata: created_on 2022_11_22, old_sid 5007068; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Radamant ransomware file extension detected (.rdm)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rdm "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009145; metadata: created_on 2022_11_22, old_sid 5007069; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KillLocker ransomware file extension detected (.rip)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rip "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009146; metadata: created_on 2022_11_22, old_sid 5007070; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas/SamSam ransomware file extension detected (.helpmeencedfiles)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".helpmeencedfiles "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009147; metadata: created_on 2022_11_22, old_sid 5007071; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist (variant) Ransomware file extension detected (.antihacker2017)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".antihacker2017 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009148; metadata: created_on 2022_11_22, old_sid 5007072; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Comrade ransomware file extension detected (.comrade)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".comrade "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009149; metadata: created_on 2022_11_22, old_sid 5007073; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Apocalypse ransomware file extension detected (.SecureCrypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".SecureCrypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009150; metadata: created_on 2022_11_22, old_sid 5007074; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Phishing / ransomware file extension detected (.covid-19)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".covid-19"; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009151; metadata: created_on 2022_11_22, old_sid 5007075; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Magic ransomware file extension detected (.magic)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".magic "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009152; metadata: created_on 2022_11_22, old_sid 5007076; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist Ransomware file extension detected (.p5tkjw)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".p5tkjw "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009153; metadata: created_on 2022_11_22, old_sid 5007077; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Bitstak ransomware file extension detected (.bitstak)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".bitstak "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009154; metadata: created_on 2022_11_22, old_sid 5007078; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas/SamSam ransomware file extension detected (.powerfulldecrypt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".powerfulldecrypt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009155; metadata: created_on 2022_11_22, old_sid 5007079; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe 3 ransomware file extension detected (.hnumkhotep)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".hnumkhotep "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009156; metadata: created_on 2022_11_22, old_sid 5007080; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] BarRax (HiddenTear variant) ransomware file extension detected (.BarRax)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".BarRax "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009157; metadata: created_on 2022_11_22, old_sid 5007081; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] BadEncriptor ransomware file extension detected (.bript)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".bript "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009158; metadata: created_on 2022_11_22, old_sid 5007082; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.kkk)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kkk "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009159; metadata: created_on 2022_11_22, old_sid 5007083; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas/SamSam ransomware file extension detected (.noproblemwedecfiles​)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".noproblemwedecfiles​"; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009160; metadata: created_on 2022_11_22, old_sid 5007084; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe (variant) ransomware file extension detected (.lovewindows)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".lovewindows "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009161; metadata: created_on 2022_11_22, old_sid 5007085; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Phishing / ransomware file extension detected (.covid19)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".covid19 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009162; metadata: created_on 2022_11_22, old_sid 5007086; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Wana Decrypt0r 2.0 ransomware file extension detected (.wncry)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".wncry "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009163; metadata: created_on 2022_11_22, old_sid 5007087; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Globe ransomware file extension detected (.kyra)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kyra "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009164; metadata: created_on 2022_11_22, old_sid 5007088; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alma Locker ransomware file extension detected (.a5zfn)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".a5zfn "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009165; metadata: created_on 2022_11_22, old_sid 5007089; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist Ransomware file extension detected (.PoAr2w)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".PoAr2w "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009166; metadata: created_on 2022_11_22, old_sid 5007090; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Vindows Locker ransomware file extension detected (.vindows)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".vindows "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009167; metadata: created_on 2022_11_22, old_sid 5007091; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Bart ransomware file extension detected (.perl)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".perl "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009168; metadata: created_on 2022_11_22, old_sid 5007092; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Roga ransomware file extension detected (.madebyadam)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".madebyadam "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009169; metadata: created_on 2022_11_22, old_sid 5007093; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PizzaCrypts Ransomware file extension detected (.info)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".info "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009170; metadata: created_on 2022_11_22, old_sid 5007094; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Karmen HiddenTear (variant) ransomware file extension detected (.grt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".grt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009171; metadata: created_on 2022_11_22, old_sid 5007095; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeRanger OS X ransomware file extension detected (.kernel_complete)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kernel_complete "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009172; metadata: created_on 2022_11_22, old_sid 5007096; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw (variant) ransomware file extension detected (.lcked)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".lcked "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009173; metadata: created_on 2022_11_22, old_sid 5007097; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] SerbRansom ransomware file extension detected (.ifuckedyou)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".ifuckedyou "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009174; metadata: created_on 2022_11_22, old_sid 5007098; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.payrms)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".payrms "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009175; metadata: created_on 2022_11_22, old_sid 5007099; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Conficker ransomware file extension detected (.conficker)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".conficker "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009176; metadata: created_on 2022_11_22, old_sid 5007100; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.paymst)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".paymst "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009177; metadata: created_on 2022_11_22, old_sid 5007101; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.payms)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".payms "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009178; metadata: created_on 2022_11_22, old_sid 5007102; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.paymts)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".paymts "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009179; metadata: created_on 2022_11_22, old_sid 5007103; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] GandCrab v4 ransomware file extension detected (.krab)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".krab "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009180; metadata: created_on 2022_11_22, old_sid 5007104; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas/SamSam ransomware file extension detected (.Whereisyourfiles)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".Whereisyourfiles "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009181; metadata: created_on 2022_11_22, old_sid 5007105; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PyL33T ransomware file extension detected (.d4nk)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".d4nk "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009182; metadata: created_on 2022_11_22, old_sid 5007106; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton ransomware file extension detected (.czvxce)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".czvxce "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009183; metadata: created_on 2022_11_22, old_sid 5007107; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Kostya ransomware file extension detected (.kostya)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kostya "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009184; metadata: created_on 2022_11_22, old_sid 5007108; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Angry Duck ransomware file extension detected (.adk)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".adk "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009185; metadata: created_on 2022_11_22, old_sid 5007109; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeRanger OS X ransomware file extension detected (.kernel_pid)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kernel_pid "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009186; metadata: created_on 2022_11_22, old_sid 5007110; rev:2;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeRanger OS X ransomware file extension detected (.encrypted)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".encrypted "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009187; metadata: created_on 2022_11_22, old_sid 5007111; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Razy ransomware file extension detected (.razy)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".razy "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009188; metadata: created_on 2022_11_22, old_sid 5007112; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas/SamSam ransomware file extension detected (.theworldisyours)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".theworldisyours "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009189; metadata: created_on 2022_11_22, old_sid 5007113; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Marlboro ransomware file extension detected (.oops)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".oops "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009190; metadata: created_on 2022_11_22, old_sid 5007114; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zeta ransomware file extension detected (.rmd)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rmd "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009191; metadata: created_on 2022_11_22, old_sid 5007115; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] EdgeLocker ransomware file extension detected (.edgel)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".edgel "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009192; metadata: created_on 2022_11_22, old_sid 5007116; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw Ransomware file extension detected (.paymrss)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".paymrss "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009193; metadata: created_on 2022_11_22, old_sid 5007117; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KimcilWare ransomware file extension detected (.kimcilware)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".kimcilware "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009194; metadata: created_on 2022_11_22, old_sid 5007118; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Lock93 ransomware file extension detected (.lock93)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".lock93 "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009195; metadata: created_on 2022_11_22, old_sid 5007119; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw (variant) ransomware file extension detected (.gefickt)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".gefickt "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009196; metadata: created_on 2022_11_22, old_sid 5007120; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] vxLock ransomware file extension detected (.vxlock)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".vxlock "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009197; metadata: created_on 2022_11_22, old_sid 5007121; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] PEC 2017 ransomware file extension detected (.pec)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".pec "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009198; metadata: created_on 2022_11_22, old_sid 5007122; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Rokku ransomware file extension detected (.rokku)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".rokku "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009199; metadata: created_on 2022_11_22, old_sid 5007123; rev:2;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] DXXD ransomware file extension detected (.dxxd)"; program:*Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4663,567,5145; content:".dxxd "; nocase; after: track by_username, count 25, seconds 3600; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:ransomware; sid:5009200; metadata: created_on 2022_11_22, old_sid 5007124; rev:2;)


#The alerts below are based on IOC's for the ProxyShell V2 exploit based on the research of GTSC. These are tracked by CVE-2022-41040 (Authenticated Server-Side Request Forgery) and CVE-2022-41082 (Authenticated Remote Code Execution). ~sdrenning! 20220930

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 Dropped File DrSDKCaller.exe"; program:*Exchange*|*IIs*|*PowerShell*|*Sysmon*; content:"C|3a 5c|root|5c 5c|DrSDKCaller.exe"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server;classtype:suspicious-traffic; sid:5009201; metadata: created_on 2022_11_22, old_sid 5007703; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 Dropped File dump.dll"; program:*Exchange*|*IIs*|*PowerShell*|*Sysmon*; content:"C|3a 5c|Users|5c 5c|Public|5c 5c|dump.dll"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server;classtype:suspicious-traffic; sid:5009202; metadata: created_on 2022_11_22, old_sid 5007704; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 Dropped File ad.exe"; program:*Exchange*|*IIs*|*PowerShell*|*Sysmon*; content:"C|3a 5c|Users|5c 5c|Public|5c 5c|ad.exe"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server;classtype:suspicious-traffic; sid:5009203; metadata: created_on 2022_11_22, old_sid 5007705; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 Dropped File gpg-error.exe"; program:*Exchange*|*IIs*|*PowerShell*|*Sysmon*; content:"C|3a 5c|PerfLogs|5c 5c|gpg-error.exe"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server;classtype:suspicious-traffic; sid:5009204; metadata: created_on 2022_11_22, old_sid 5007706; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 Dropped File cm.exe"; program:*Exchange*|*IIs*|*PowerShell*|*Sysmon*; content:"C|3a 5c|PerfLogs|5c 5c|cm.exe"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server;classtype:suspicious-traffic; sid:5009205; metadata: created_on 2022_11_22, old_sid 5007707; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 Dropped File msado32.tlb"; program:*Exchange*|*IIs*|*PowerShell*|*Sysmon*; content:"C|3a 5c|Program Files|5c 5c|Common Files|5c 5c|system|5c 5c|ado|5c 5c|msado32.tlb"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server;classtype:suspicious-traffic; sid:5009206; metadata: created_on 2022_11_22, old_sid 5007708; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 WebShell file RedirSuiteServiceProxy.aspx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"RedirSuiteServiceProxy.aspx"; nocase; content:"|5c 5c|Exchange Server|5c 5c|V15|5c 5c|FrontEnd|5c 5c|HttpProxy|5c 5c|owa|5c 5c|auth"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:exploit-attempt; sid:5009207; metadata: created_on 2022_11_22, old_sid 5007713; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 WebShell file RedirSuiteServiceProxy.aspx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"RedirSuiteServiceProxy.aspx"; nocase; content:"|5c 5c|Exchange Server|5c 5c|V15|5c 5c|FrontEnd|5c 5c|HttpProxy|5c 5c|owa|5c 5c|auth"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:exploit-attempt; sid:5009208; metadata: created_on 2022_11_22, old_sid 5007714; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 WebShell file pxh4HG1v.ashx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"pxh4HG1v.ashx"; nocase; content:"|5c 5c|Exchange Server|5c 5c|V15|5c 5c|FrontEnd|5c 5c|HttpProxy|5c 5c|owa|5c 5c|auth"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:exploit-attempt; sid:5009209; metadata: created_on 2022_11_22, old_sid 5007715; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 WebShell file pxh4HG1v.ashx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"pxh4HG1v.ashx"; nocase; content:"|5c 5c|Exchange Server|5c 5c|V15|5c 5c|FrontEnd|5c 5c|HttpProxy|5c 5c|owa|5c 5c|auth"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:exploit-attempt; sid:5009210; metadata: created_on 2022_11_22, old_sid 5007716; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 WebShell file errorEE.aspx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"errorEE.aspx"; nocase; content:"|5c 5c|Exchange Server|5c 5c|V15|5c 5c|FrontEnd|5c 5c|HttpProxy|5c 5c|owa|5c 5c|auth"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:exploit-attempt; sid:5009211; metadata: created_on 2022_11_22, old_sid 5007717; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 WebShell file errorEE.aspx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"errorEE.aspx"; nocase; content:"|5c 5c|Exchange Server|5c 5c|V15|5c 5c|FrontEnd|5c 5c|HttpProxy|5c 5c|owa|5c 5c|auth"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600;reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:exploit-attempt; sid:5009212; metadata: created_on 2022_11_22, old_sid 5007718; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 WebShell file Xml.ashx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"Xml.ashx"; nocase; content:"|5c 5c|inetpub|5c 5c|wwwroot"; nocase; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:exploit-attempt; sid:5009213; metadata: created_on 2022_11_22, old_sid 5007719; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible ProxyShell V2 WebShell file Xml.ashx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"Xml.ashx"; nocase; content:"|5c 5c|inetpub|5c 5c|wwwroot"; nocase; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; threshold: type suppress, track by_username, count 25, seconds 3600; classtype:exploit-attempt; sid:5009214; metadata: created_on 2022_11_22, old_sid 5007720; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE-HUNTING] Possible ProxyShell V2 WebShell file RedirSuiteServiceProxy.aspx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"RedirSuiteServiceProxy.aspx"; nocase; content:"|5c 5c|Exchange Server|5c 5c|V15|5c 5c|FrontEnd|5c 5c|HttpProxy|5c 5c|owa|5c 5c|auth"; nocase; threshold: type suppress, track by_username, count 1, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:exploit-attempt; sid:5009215; metadata: created_on 2022_11_22, old_sid 5007721; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE-HUNTING] Possible ProxyShell V2 WebShell file pxh4HG1v.ashx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"pxh4HG1v.ashx"; nocase; threshold: type suppress, track by_username, count 1, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:exploit-attempt; sid:5009216; metadata: created_on 2022_11_22, old_sid 5007722; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE-HUNTING] Possible ProxyShell V2 WebShell file errorEE.aspx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"errorEE.aspx"; nocase; threshold: type suppress, track by_username, count 1, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:exploit-attempt; sid:5009217; metadata: created_on 2022_11_22, old_sid 5007723; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE-HUNTING] Possible ProxyShell V2 WebShell file Xml.ashx detected"; program:*Exchange*|*PowerShell*|*IIS*; content:"Xml.ashx"; nocase; threshold: type suppress, track by_username, count 1, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:exploit-attempt; sid:5009218; metadata: created_on 2022_11_22, old_sid 5007724; rev:1;)