Here are some sigs for this associated with a ransomware threat actor. In the reference you can see the DNS packets which are always TXT packets and either 1000000000000000.com for the query every 10 seconds as a beacon or 100000000000000HEX_STRING.com. You can see the packet and info in the reference.
Kind Regards,
Kevin Ross
alert tcp $HOME_NET 1023: → $EXTERNAL_NET 53 (msg:“ET MALWARE Skitnet/Bossnet Backdoor DNS TXT Beacon”; flow:established,to_server; dns.query; content:“1000000000000000.com”; threshold:type both, track by_src,count 10, seconds 300; classtype:trojan-activity; reference:url,Prodaft CATALYST; sid:131001; rev:1;)
alert tcp $HOME_NET 1023: → $EXTERNAL_NET 53 (msg:“ET MALWARE Skitnet/Bossnet Backdoor DNS TXT Data Request”; flow:established,to_server; dns.query; “100000000000000”; startswith; dns.query; “.com”; endswith; pcre:“/100000000000000[0-9a-f]{2,}.com”; classtype:trojan-activity; reference:url,Prodaft CATALYST; sid:131002; rev:1;)