Bro to detect Ransomware

Hi all,

I am new to Bro scripts and I am trying to build a platform to detect Ransomware like CyptoLocker using Bro IDS.
I am wondering whether Bro mechanisms and Frameworks can be useful to detect this kind of malware. Please, has anyone tried to built some scripts to do that before ? Any ideas, please ?

Many thanks,


Most ransomware indicators are host based.

From a network monitoring perspective there are three things I can think of which you can look for with Bro.

  1. Some families of ransomware will contact STUN services to geolocate themselves so they can display a ransom message in a native language. Look for connections to these services.
  2. Some families of ransomware use tor for beaconing after initial execution. Looks for connections to Tor.
  3. Email spam and exploit kits are known distribution mechanisms for a good amount of ransomware. Check hashes from inbound emails against VT and ensure your users aren’t visiting known EK URLs.



Thank you for the prompt reply.
I will try to do that.

Kind regards,