Hunting Ransomware using ArcSight: proactive detection & response

Hello dear community,

This is a thread with free content to detect and stop Ransomware using ArcSight ESM & Express platform.

As you know, Ransomware attacks have risen drastically in number during last 3 years. Total damage amount caused to organizations worldwide exceeds $billions. Timeline based on Symantec research:


Recent research published @TechRepublic provides hints about Ransomware 2.0 incoming shortly that will be self-propagating, using encrypted communications (news?), abuse easily exploitable vulnerabilities and outdated software etc. Since there is no single silver-bullet to use Active mitigation solutions to block 100% of Ransomware, proactive detection is the way. And while there is a huge amount of claims (and some proof) that Machine Learning is the best way, ArcSight can do all it takes to spot and inform on Ransomware infections at any stage.

That being said, I want to share with the community a free version of our Ransomware Hunter package that monitors publicly known Ransomware distribution sites, C2 sites and Payment sites. The reputation feed is automatically integrated thanks to our friends @! That being said, here is what we get in result:



Package includes set of rules for checking each site connections, Cyber Kill Chain mapping, interactive dashboards for both ArcSight Web and Console, Active Lists with publicly known ransomware-related sites, behavioural indicators of ransomware infection, long-term profiling of indicators spotted on hosts, active channels and priority weights & scoring formula. Some more screens below:


What's the catch with free version? None! By all means this is an open framework and suggestions & contributions are welcome.

Examples of Ransowmare that package finds: TeslaCrypt | CryptoWall | TorrentLocker | PadCrypt | Locky | CTB-Locker | FAKBEN | PayCrypt | DMALocker | Cerber

Some of functionality described above is not included in basic version, more details on advanced version are included here: Ransomware Hunter by SOC Prime

Please PM for any questions, feedback is most welcome!

CISO Tactical Brief on Ransomware -

Archive: includes .ARB package, ip-rep feed gathering script & installation guide

MD5 hash v.1.2: e581123ff7ee3cd2a1546caacc609a0f *

SIEM requirements:

   - HPE ArcSight ESM 6.0 or higher;

   - HPE ArcSight Express 4.0 or higher.

Network access to is required.

Log source requirements:

Firewall Logs: Cisco ASA; Cisco FWSM; CheckPoint Firewall; Palo Alto; Others

Proxy Logs: Squid; BlueCoat Proxy; Microsoft Forefront TMG; Others

Optional / Work in progress / Advanced Package

IPS/IDS Logs: TippingPoint; Snort; CheckPoint IPS; Suricata; Others

Microsoft Windows Logs: Domain Controllers; WorkStations; Other

Antivirus Logs: ESET; Kaspersky; McAffe Endpoint Security; Avast; TrendMicro; Others

~ Kind regards from SOC Prime team