Detecting Ransomware Precursors in Network Traffic

When to Use

• Building detection rules for pre-ransomware network activity (the average time from Cobalt Strike deployment to encryption is 17 minutes)
• Monitoring for initial access broker (IAB) indicators that precede ransomware deployment
• Creating SIEM correlation rules that chain multiple precursor events into high-confidence alerts
• Tuning network detection systems to distinguish ransomware staging from normal administrative activity
• Investigating suspicious network patterns that may indicate ransomware operators have established a foothold

Do not use for post-encryption response (see recovering-from-ransomware-attack). This skill focuses on the pre-encryption detection window where containment can prevent data loss.

Prerequisites

• Network detection platform (Zeek/Bro, Suricata, or Arkime/Moloch) deployed on network TAP or SPAN ports
• SIEM platform (Splunk, Elastic Security, Microsoft Sentinel, or QRadar) ingesting network logs
• Threat intelligence feeds covering ransomware IOCs (CISA, abuse.ch, OTX, MISP)
• Network flow data (NetFlow/IPFIX) from core routers and firewalls
• DNS query logging from internal resolvers
• Full packet capture capability for incident investigation