Tested against PCAP from tria.ge for SHA256 299a8ef490076664675e3b52d6767bf89ddfa6accf291818c537a600a96290d2 where it is magic bytes and then the fields Interlock ransomware evolving under the radar - Sekoia.io Blog. While the report also notes it is on TCP 443 it uses as a RAT it should be able to use any port so I have not limited the rule to that.
alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN Interlock.RansomGroup RAT Initial Callback “; flow:established,to_server; content:”|55 11 69 DF|{|22|iptarget|22|”; depth:15; content:“|22|domain|22|”; distance:0; classtype:trojan-activity; reference:url,Interlock ransomware evolving under the radar - Sekoia.io Blog; reference:md5,2366128c20f42ee819251747eb3199a4; sid:123451; rev:1;)
Kind Regards,
Kevin Ross