Bro to detect Ransomware

Zied_Turki · November 16, 2015, 8:28pm

Hi all,

I am new to Bro scripts and I am trying to build a platform to detect Ransomware like CyptoLocker using Bro IDS.
I am wondering whether Bro mechanisms and Frameworks can be useful to detect this kind of malware. Please, has anyone tried to built some scripts to do that before ? Any ideas, please ?

Many thanks,

BR,
Zied

anthony_kasza1 · November 16, 2015, 10:31pm

Most ransomware indicators are host based.

From a network monitoring perspective there are three things I can think of which you can look for with Bro.

Some families of ransomware will contact STUN services to geolocate themselves so they can display a ransom message in a native language. Look for connections to these services.
Some families of ransomware use tor for beaconing after initial execution. Looks for connections to Tor.
Email spam and exploit kits are known distribution mechanisms for a good amount of ransomware. Check hashes from inbound emails against VT and ensure your users aren’t visiting known EK URLs.

-AK

Zied_Turki · November 17, 2015, 9:19am

Hello,

Thank you for the prompt reply.
I will try to do that.

Kind regards,
Zied

Topic		Replies	Views
Tor script Zeek	1	101	May 6, 2022
useful *.bro files repository? Zeek	1	71	May 6, 2022
Ransomware Zeek	1	104	May 6, 2022
Two Questions about Bro Zeek	1	86	May 6, 2022
BRO - Ransomware script (fox-it) Zeek	1	72	May 6, 2022

Bro to detect Ransomware

Related topics