Ransomware Detection using Threat Intelligence feeds with ESM



Ransomware is a -now a days- a very common type of malware whose main purpose is to infect computer systems, render data (files) unavailable by encrypting it and ask for a ransom for the user/company to be able to access it again. Social Engineering vector attacks are often used to infect target hosts. Among the most common infection vectors we can find:

  • Malicious email attachments
  • Compromised web sites
  • Malvertising
  • Exploit kits
  • OS vulnerabilities

Wannacry, cerber, locky, petya/notpetya are among the latest and more widely spread ransomware attacks but they are not the only ones. And they are here to stay. Estimates vary but they all show the great risk they pose: Damage costs were around 5 billion in 2017 and they will exceed 11 billion by 2019. It is estimated that Ransomware will attack a business every14 seconds by the end of 2019.

Ransomware Impacts for a company:

  • Financial, ecomomical damages include the ransom, loss of productivity for unavailable data/systems.
  • Loss of Reputation

Best Practices to minimize the risk include:

  • Prevention. Layered protection that includes Firewalls,IDS/IPS (host and network), email gateways, antivirus systems
  • Training.  Security Awareness programs can, and should, be used to educate users and make them less vulnerable to social engineering attacks, thus reducing the likelihood for the company being ransomware infected. Technical training to IT staff (not only IT Security) is also required.
  • Keeping Systems up to date. Ensuring software and systems are up to date is a critical factor to minimize the risk of a vulnerability being exploited.
  • Backup/Restore. Effective backup and restore procedures in place are necessary to counter the loss/damage of sensitive data.

 Ransomware related network activities can be tracked and detected by ESM. Using Threat Intelligence data is one of the most popular ways to detect ransomware communications in a corporate environment.

ArcSight Activate Framework can be leveraged to track not only Ransomware but other Threat Intelligence related vector attacks. By using the Threat Intelligence package SOC analysts can track Ransomware, Phishing, Botnet, Anonymization and other suspicious activities. Activate Framework builds upon blocks at different layers that allow to develop and deploy actionable security Use Cases. Activate packages are available in the MicroFocus marketplace.

If Activate Framework is not an option, ESM content can also be built to track Ransomware network communications.  A basic example is given to provide some guidance on this approach and it will involve 3 major steps:

1) Ransomware known entities from a Threat Intelligence source


Find, collect (and periodically update) Ransomware IOC's (IP's, hosts, domains, url's, hashes) from known sources. A script can be created and executed automatically in a periodic way to update the Ransomware data. Ransomware Tracker is an example of TI data feeds.

A sample java script is provided, which downloads Ransomeware lists (RW_URLBL, RW_DOMBL, RW_IPBL) from RansomwareTracker and creates/updates 3 csv files. It could be run in linux or windows systems.

Run the script by executing:

java -jar %path%/RansomewareIPAddressesDownloader.jar

JAR file.jpg


The script will run and download/update the 3 files every 10 minutes, until stopped. It will create a Ransomware folder under either c:\ drive or / (root) directory in linux.


2) Import ransomware TI data into ESM

Once Ransomware TI data (IP's, domains, url's) is available, it can be imported in ESM in different ways:

a) Manually from the Arcsight Console. This is a static approach, not recommended.

b) A flex connector can be installed/configured to automatically import data from the downloaded (csv) file as soon as the data is available/updated.

A provided sample tracker.sdkfilereader.properties file (uploaded as .doc, please rename to .properties) has to be placed in %CONNECTOR_HOME%\current\user\agent\flexagent directory, and parses the RW_IPBL.csv and sets the IP Address as destination address. Depending on the configuration, the agent.properties ( %HOME%/current/user/agent/ folder) file needs to be modified for the connector read every line every time the file is updated:


You may need a connector for each file you have.

A lightweight rule will write data into an active list (if multiple files and multiple active lists are used, multiple rules can also be needed), that will be queried for matching events.


3) Build ESM content to alert (and show statisctis) when communications occur to those entities

ESM Content to detect Ransomware network activity will comprise several types of resources: filters, active lists, rules among them:

Filtersreusable.jpgFilters: Although conditions can be set with ESM rules, if conditions are to be reused among several resources then creating a filter resource is a better approach. If inbound/outbound communications are going to be tracked separately, filters for each traffic directions should be created.


Refer to Practical Guide to ESM Filters article for more information regarding ESM Filters best practices.


Active Lists: Number and type of Active lists to be used will depend on the type of and number of ransomware TI data (IP's, domains, url's). Typically, you will use one active list per each type of IOC. These active lists will store ransomware TI data collected/updated from connectors. They will be updated (typically) by a lightweight rule.



Active Lists properties (and fields) can vary and be adjusted to fit the environment and security needs. One of such values is TTL, that governs how long an entry (IOC in this case) will remain in the Active list (last modified time value is considered for calculation purposes).






Ransomware Rules.jpgRules: Depending on how Active lists will be populated (and updated), 1 or 2 tiers of rules can be created: 1. Lightweight rules that will populate/update ransomware active lists, and 2. Standard rules that will match events with ransomware TI data contained in such Active Lists. Inbound/outbound communications rules can be created to add more granularity to detection.



Rule conditions: In the following example an outbound filter (that might be used in other ESM resources) is created and nested in the rule conditions to match only outbound traffic. We also use a local variable to match IP addresses (destination, as it is outbound) in the ransomware active list.\

Active Channel: An active channel will be used to show ransomware correlation events. This active channel can be the main active channel used in the SOC, or another specific channel created for this purpose.

Ransomware Dashboard: If more statistics are needed, a combination of resources can be created to be shown in a Dashboard. Data Monitors and/or Query Viewers can be included in this Dashboard: Top External Ransomware Destinations - Last 24hrs, Top External Ransomware Destinations - Last Week, are examples of Query Viewers that can be created.


additionaldata.enabled=truedo.unparsed.events=truecomments.start.with=\# trim.tokens=true contains.empty.tokens=true delimiter=,text.qualifier=" token.count=1token[0].name=DestAddresstoken[0].type=IPAddressevent.deviceVendor=__stringConstant("Ransomeware")devent.deviceProduct=__stringConstant("Ransomware Tracker") event.destinationAddress=DestAddress


How To-Best Practice
Comment List