[Bro] Bro to detect Ransomware

Zied Turki zied.turki at outlook.com
Tue Nov 17 01:19:40 PST 2015


Thank you for the prompt reply.
I will try to do that.

Kind regards,

Date: Mon, 16 Nov 2015 14:31:06 -0800
Subject: Re: [Bro] Bro to detect Ransomware
From: anthony.kasza at gmail.com
To: zied.turki at outlook.com
CC: bro at bro.org

Most ransomware indicators are host based.
 From a network monitoring perspective there are three things I can think of which you can look for with Bro. 

1) Some families of ransomware will contact STUN services to geolocate themselves so they can display a ransom message in a native language. Look for connections to these services. 

2) Some families of ransomware use tor for beaconing after initial execution. Looks for connections to Tor. 

3) Email spam and exploit kits are known distribution mechanisms for a good amount of ransomware. Check hashes from inbound emails against VT and ensure your users aren't visiting known EK URLs.
On Nov 16, 2015 3:30 PM, "Zied Turki" <zied.turki at outlook.com> wrote:

Hi all,

I am new to Bro scripts and I am trying to build a platform to detect Ransomware like CyptoLocker using Bro IDS.
 am wondering whether Bro mechanisms and Frameworks can be useful to 
detect this kind of malware. Please, has anyone tried to built some 
scripts to do that before ? Any ideas, please ?

Many thanks,



Bro mailing list

bro at bro-ids.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151117/0b86dc0f/attachment-0001.html 

More information about the Bro mailing list