Ransomware Hunter


SOC Prime Community

App Support Tiers


Support via Micro Focus Software Support, with a ticket filed against the associated product.


Micro Focus offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by Micro Focus of the Micro Focus community.


Micro Focus Community Content is provided by Micro Focus for the benefit of customers, support for it is not available via Micro Focus Software Support but through specific community content forums.


Community Contributed Content is provided by Micro Focus customers and supported by them.

SOC Prime | Community

Ransomware Hunter natively integrates with ArcSight ESM and leverages statistical profiling and behavioral analysis methods, OSINT feeds including Ransomware Tracker by Abuse.ch and Detect Tor feed as well as strictly defined correlation rules.


Ransomware Hunter natively integrates with ArcSight and leveragesstatistical profiling and behavioral analysis methods, OSINT feeds including Ransomware Tracker by Abuse.ch and Detect Tor feed as well as strictly defined correlation rules. This enables organizations to spot and stop any Ransomware as early as possible. Due to adversaries continuously bypassing traditional defense systems in both wide-spectre and targeted attacks (APT), accurate and timely detection followed by Incident Response can completely prevent any threat and damage posed by Ransomware. Ransomware Hunter provides detection and automatic alerting capabilities at Reconnaissance, Delivery, Exploitation, Installation, Command and Control (C2) and Action on Objectives phases, thus covering full threat Life-cycle according to Cyber Kill Chain methodology.

Minimum Requirements

SIEM Requirements:

   - HPE ArcSight ESM 6.9 or higher;

It also requires properly configured categorization for Log Sources.

Recommend install Data Quality Framework package to control categorization. Additional: Any Linux server or workstation with access to SIEM and web sites (https, port 443) for script:  


Ransomware Hunter 2.1
913.0 KB
Oct 2, 2017
More info Less info
Product compatibility
Version 7.0
Version 6.9.1 · 6.11.0
ESM Express
Version 6.9.1
Release notes

   Version 2.1  

  • Disabled historical rules by default and removed rule folder scheduled job
  • False positives reduction. Now all rules trigger only on connections to ransomware sites that have status “Online” in abuse.ch

Version 2.0:  

  •   Added Windows file audit monitoring
  •   Increased Active List capacity
  •   Updated documentation, added resource description

Version 1.5  

  •   False positives reduction
  •   Added Kill Chain categorization to events
  •   Added SOC channel
  •   Added historical correlation for better accuracy and false-positive reduction
  •   Granular prioritization of correlated events
  •   Added detection of Tor Network communication
  •   Updated script. Fixed minor bugs

Version 1.0:  

  •   Initial version.

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the Marketplace Terms of Service
Since you are downloading an app from the Micro Focus unified Marketplace using an Access Manager account, you need to also accept the Micro Focus Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox