[Oisf-users] Ransomware detection

Cooper F. Nelson cnelson at ucsd.edu
Fri Jun 30 17:59:08 UTC 2017

See the replies from the ET peeps below.  This more a threat
intelligence question vs. suricata itself.  Suricata can detect anything
with a network presence, with of course the limitation that it cannot
inspect within encrypted tunnels.

Anyways, the premium EmergingThreats feed provides excellent coverage
for "known knowns", i.e. active exploits and campaigns.  I've uncovered
many ransomware infections in this manner.

However, to be absolutely clear, ransomware==crimeware and their entire
production and distribution mechanism is geared around evading
signature-based detection.  So it is not and never will be a 100%
solution.  I've seen multiple zero-day campaigns that went undetected by
all the big vendors.  I've also seen ransomware that does not utilize
any CnC mechanism post-infection.  And javascript droppers that use a
trivial XOR obfuscation to evade network sandbox detection.  The list
goes on and it will never end.

Best practice is harden your perimeter/endpoints against the
distribution mechanism, vs. counting on detecting infections after the


On 6/29/2017 5:42 PM, Alexis Fredes Hadad wrote:
> Hello everyone!
> I want to know if there is any rule for ransomware detection in
> Suricata. I know that Suricata is not the more appropiate tool for that
> kind of malware but I was investigating how to do a rule with pcre.
> Anyone knows if exist a rule for that? Or a rule set which contain that?
> At present I am using the free version of Emerging Threats and it has a
> file of rules for malware but I couldn't find nothing related to ransomware.
> Thanks,
> Alexis
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170630/8f062c4b/attachment-0002.sig>

More information about the Oisf-users mailing list