I am new to Bro scripts and I am trying to build a platform to detect Ransomware like CyptoLocker using Bro IDS.
I am wondering whether Bro mechanisms and Frameworks can be useful to detect this kind of malware. Please, has anyone tried to built some scripts to do that before ? Any ideas, please ?
Most ransomware indicators are host based.
From a network monitoring perspective there are three things I can think of which you can look for with Bro.
- Some families of ransomware will contact STUN services to geolocate themselves so they can display a ransom message in a native language. Look for connections to these services.
- Some families of ransomware use tor for beaconing after initial execution. Looks for connections to Tor.
- Email spam and exploit kits are known distribution mechanisms for a good amount of ransomware. Check hashes from inbound emails against VT and ensure your users aren’t visiting known EK URLs.
Thank you for the prompt reply.
I will try to do that.