analyzing-ransomware-network-indicatorslisted

# Analyzing Ransomware Network Indicators ## Overview Before and during ransomware execution, adversaries establish C2 channels, exfiltrate data, and download encryption keys. This skill analyzes Zeek conn.log and NetFlow data to detect beaconing patterns (regular-interval callbacks), connections to known TOR exit nodes, large outbound data transfers, and suspicious DNS activity associated with ransomware families. ## When to Use - When investigating security incidents that require analyzing ransomware network indicators - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Zeek conn.log files or NetFlow CSV/JSON exports - Python 3.8+ with standard library - TOR exit node list (fetched from Tor Project or threat intel feeds) - Optional: Known ransomware C2 IOC list ## Steps 1. **Parse Connection Logs** — Ingest Zeek conn.log (TSV) or NetFlow records into structured format 2. **Detect Beaconing Patterns** — Calculate connection interval statistics (mean, stddev, coefficient of variation) to identify periodic callbacks 3. **Check TOR Exit Node Connections** — Cross-reference destination IPs against current TOR exit node list 4. **Identify Data Exfiltration** — Flag connections with unusually high outbound byte ratios to external IPs 5. **Analyze DNS Patterns** — Detect DGA-like domain q