[Bro] Bro to detect Ransomware

anthony kasza anthony.kasza at gmail.com
Mon Nov 16 14:31:06 PST 2015

Most ransomware indicators are host based.

>From a network monitoring perspective there are three things I can think of
which you can look for with Bro.
1) Some families of ransomware will contact STUN services to geolocate
themselves so they can display a ransom message in a native language. Look
for connections to these services.
2) Some families of ransomware use tor for beaconing after initial
execution. Looks for connections to Tor.
3) Email spam and exploit kits are known distribution mechanisms for a good
amount of ransomware. Check hashes from inbound emails against VT and
ensure your users aren't visiting known EK URLs.

On Nov 16, 2015 3:30 PM, "Zied Turki" <zied.turki at outlook.com> wrote:

> Hi all,
> I am new to Bro scripts and I am trying to build a platform to detect
> Ransomware like CyptoLocker using Bro IDS.
> I am wondering whether Bro mechanisms and Frameworks can be useful to
> detect this kind of malware. Please, has anyone tried to built some scripts
> to do that before ? Any ideas, please ?
> Many thanks,
> BR,
> Zied
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151116/dc7851b9/attachment.html 

More information about the Bro mailing list