Detecting and Fighting Ransomware Using ntopng (yes including WannaCry)

Posted · Add Comment

These days many people are talking about ransomware and in particular of the problems created by WannaCry. Some ntop users contacted us asking if they could use our tools for detecting and stopping ransomware. While the best solution to these issues is to properly implement network security (that is a process, not a product in our opinion) by designing the network properly and keeping hosts updated,  it is usually possible to use ntopng to detect infections, block most of them, and have a list of hosts that might have been compromised. If you run ntopng in passive mode (i.e. you send ntopng traffic from a span port or a tap) you can be notified about suspicious or blacklist host contacting (for being contacted) by local hosts either looking at the ntopng alert dashboard or on the go through the slack integration (see menu Preferences > External Alerts Report > Slack Integration inside ntopng or read this document for details).

In the latest ntopng 2.5.x series we have implemented (see menu Preferences > Alerts >Security Alerts > Enable Hosts Malware Blacklists)

the ability for ntopng to nightly download a list of blacklisted hosts that are used for detecting potential security issues, or if using noting in inline mode, to automatically block this traffic and thus avoid infections.

If you go in the historical data explorer menu, you can browse past flows and see flow details. As you can see in DNS flows you have the query name. This can help you finding out for instance what are the hosts that are querying WannaCry  hosts.

If you are using ntopng in inline mode, you can also use ntopng to force using specified DNS servers (i.e. ntopng captures the DNS query, reforges the packet so that the DNS query is sent to the DNS set in the preferences, and masks the response back to the DNS client that is then unable to figure out that the response has been served by another DNS server)

This way you can prevent local host from contacting potential malware site by sampling setting as default a DNS such as Norton ConnectSafe (note that we’re not affiliated with Norton, this is just an example) so that whenever a DNS query for a potential dangerous name is performed, instead of sending back in the response the requested host IP, the IP of a landing page is returned and thus your host is unable to talk with the infected site.

These are just a few examples of what you can do with ntopng to secure your network and monitor security infections. If interested we have written a tutorial that describes all this more in detail.