Hello dear community,
This is a thread with free content to detect and stop Ransomware using ArcSight ESM & Express platform.
As you know, Ransomware attacks have risen drastically in number during last 3 years. Total damage amount caused to organizations worldwide exceeds $billions. Timeline based on Symantec research:
Recent research published @TechRepublic provides hints about Ransomware 2.0 incoming shortly that will be self-propagating, using encrypted communications (news?), abuse easily exploitable vulnerabilities and outdated software etc. Since there is no single silver-bullet to use Active mitigation solutions to block 100% of Ransomware, proactive detection is the way. And while there is a huge amount of claims (and some proof) that Machine Learning is the best way, ArcSight can do all it takes to spot and inform on Ransomware infections at any stage.
That being said, I want to share with the community a free version of our Ransomware Hunter package that monitors publicly known Ransomware distribution sites, C2 sites and Payment sites. The reputation feed is automatically integrated thanks to our friends @ abuse.ch! That being said, here is what we get in result:
Package includes set of rules for checking each site connections, Cyber Kill Chain mapping, interactive dashboards for both ArcSight Web and Console, Active Lists with publicly known ransomware-related sites, behavioural indicators of ransomware infection, long-term profiling of indicators spotted on hosts, active channels and priority weights & scoring formula. Some more screens below:
What's the catch with free version? None! By all means this is an open framework and suggestions & contributions are welcome.
Examples of Ransowmare that package finds: TeslaCrypt | CryptoWall | TorrentLocker | PadCrypt | Locky | CTB-Locker | FAKBEN | PayCrypt | DMALocker | Cerber
Some of functionality described above is not included in basic version, more details on advanced version are included here: Ransomware Hunter by SOC Prime
Please PM for any questions, feedback is most welcome!
CISO Tactical Brief on Ransomware - R-Hunter.pdf
Archive: includes .ARB package, ip-rep abuse.ch feed gathering script & installation guide soc-prime-ransomware-hunter-basic-1.2.zip
MD5 hash v.1.2: e581123ff7ee3cd2a1546caacc609a0f *soc-prime-ransomware-hunter-basic-1.2.zip
- HPE ArcSight ESM 6.0 or higher;
- HPE ArcSight Express 4.0 or higher.
Network access to https://goo.gl/ is required.
Log source requirements:
Firewall Logs: Cisco ASA; Cisco FWSM; CheckPoint Firewall; Palo Alto; Others
Proxy Logs: Squid; BlueCoat Proxy; Microsoft Forefront TMG; Others
Optional / Work in progress / Advanced Package
IPS/IDS Logs: TippingPoint; Snort; CheckPoint IPS; Suricata; Others
Microsoft Windows Logs: Domain Controllers; WorkStations; Other
Antivirus Logs: ESET; Kaspersky; McAffe Endpoint Security; Avast; TrendMicro; Others
~ Kind regards from SOC Prime team