https://live.paloaltonetworks.com/t5/general-topics/threat-protection-coverage-for-lockbit-5-0/m-p/1242783#M125594 <P>Hi All,</P> <P>&nbsp;</P> <P>We like to have clarification regarding the current threat protection capabilities of Palo Alto Networks firewalls against <STRONG>LockBit 5.0 ransomware</STRONG>, which has been reported as a newly emerging variant around <STRONG>September 2025</STRONG>.</P> <P>Upon reviewing the ThreatVault database, we found several existing threat signatures related to LockBit (e.g., <EM>Trojan/Win32.lockbit.dp</EM>, <EM>LockBit Ransomware Powershell Script File Detection</EM>, DNS-based signatures, etc.). However, these signatures appear to have been released <STRONG>prior to September 2025</STRONG>, with the latest update we observed dated <STRONG>21 January 2025</STRONG>. This indicates that they likely correspond to earlier variants of LockBit (e.g., v2.0 / v3.0 / v4.0).</P> <P>&nbsp;</P> <P><STRONG>We would like to seek clarification on the following:</STRONG></P> <OL data-end="1773" data-start="1056"> <LI><STRONG>Has Palo Alto released any specific signatures or advanced threat protection updates that cover LockBit 5.0?</STRONG></LI> <LI>If not yet available, <STRONG>can existing protection mechanisms such as behavior-based detection (WildFire), Advanced Threat Prevention, or IPS/AV coverage effectively block LockBit 5.0-related activities?</STRONG></LI> <LI><STRONG>Is there an estimated timeline for when a signature or content update specific to LockBit 5.0 will be available in ThreatVault?</STRONG></LI> <LI>Are there <STRONG>recommended configuration best practices</STRONG>&nbsp;(e.g., security profile settings, file blocking policies, Zero Trust segmentation) to enhance protection against this new ransomware variant while awaiting an official signature?</LI> </OL> <P>thank you</P> Fri, 28 Nov 2025 09:44:33 GMT Fariq_Zaidi 2025-11-28T09:44:33Z https://live.paloaltonetworks.com/t5/general-topics/threat-protection-coverage-for-lockbit-5-0/m-p/1242783#M125594 <P>Hi All,</P> <P>&nbsp;</P> <P>We like to have clarification regarding the current threat protection capabilities of Palo Alto Networks firewalls against <STRONG>LockBit 5.0 ransomware</STRONG>, which has been reported as a newly emerging variant around <STRONG>September 2025</STRONG>.</P> <P>Upon reviewing the ThreatVault database, we found several existing threat signatures related to LockBit (e.g., <EM>Trojan/Win32.lockbit.dp</EM>, <EM>LockBit Ransomware Powershell Script File Detection</EM>, DNS-based signatures, etc.). However, these signatures appear to have been released <STRONG>prior to September 2025</STRONG>, with the latest update we observed dated <STRONG>21 January 2025</STRONG>. This indicates that they likely correspond to earlier variants of LockBit (e.g., v2.0 / v3.0 / v4.0).</P> <P>&nbsp;</P> <P><STRONG>We would like to seek clarification on the following:</STRONG></P> <OL data-end="1773" data-start="1056"> <LI><STRONG>Has Palo Alto released any specific signatures or advanced threat protection updates that cover LockBit 5.0?</STRONG></LI> <LI>If not yet available, <STRONG>can existing protection mechanisms such as behavior-based detection (WildFire), Advanced Threat Prevention, or IPS/AV coverage effectively block LockBit 5.0-related activities?</STRONG></LI> <LI><STRONG>Is there an estimated timeline for when a signature or content update specific to LockBit 5.0 will be available in ThreatVault?</STRONG></LI> <LI>Are there <STRONG>recommended configuration best practices</STRONG>&nbsp;(e.g., security profile settings, file blocking policies, Zero Trust segmentation) to enhance protection against this new ransomware variant while awaiting an official signature?</LI> </OL> <P>thank you</P> Fri, 28 Nov 2025 09:44:33 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-protection-coverage-for-lockbit-5-0/m-p/1242783#M125594 Fariq_Zaidi 2025-11-28T09:44:33Z https://live.paloaltonetworks.com/t5/general-topics/threat-protection-coverage-for-lockbit-5-0/m-p/1243172#M125650 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/225107">@Fariq_Zaidi</a>&nbsp;,</P> <P>&nbsp;</P> <P data-path-to-node="6">Protection against known components of LockBit 5.0 is delivered via our regular content updates, which include specific Antivirus (AV) and Vulnerability Protection signatures.</P> <P data-path-to-node="6">&nbsp;</P> <P data-path-to-node="7">You can verify the latest coverage by checking the ThreatVault database for these and related signatures (released September 2025):</P> <UL data-path-to-node="8"> <LI> <P data-path-to-node="8,0,0"><A class="ng-star-inserted" href="https://threatvault.paloaltonetworks.com?query=745461977" target="_blank" rel="noopener">ThreatVault Query 1</A></P> </LI> <LI> <P data-path-to-node="8,1,0"><A class="ng-star-inserted" href="https://threatvault.paloaltonetworks.com?query=745315692" target="_blank" rel="noopener">ThreatVault Query 2</A></P> </LI> <LI> <P data-path-to-node="8,2,0"><A class="ng-star-inserted" href="https://threatvault.paloaltonetworks.com?query=745489543" target="_blank" rel="noopener">ThreatVault Query 3</A></P> </LI> <LI> <P data-path-to-node="8,3,0"><A class="ng-star-inserted" href="https://threatvault.paloaltonetworks.com?query=744929268" target="_blank" rel="noopener">ThreatVault Query 4</A></P> </LI> <LI> <P data-path-to-node="8,4,0"><A class="ng-star-inserted" href="https://threatvault.paloaltonetworks.com?query=744929457" target="_blank" rel="noopener">ThreatVault Query 5</A></P> </LI> </UL> <P data-path-to-node="10">Relying on signatures alone is insufficient for modern ransomware. LockBit 5.0 is designed for evasion (e.g., using a two-stage payload and API unhooking), which is why defense strategy should focused on behavioral and machine learning analysis:</P> <P data-path-to-node="10">&nbsp;</P> <UL data-path-to-node="11"> <LI> <P data-path-to-node="11,0,0">WildFire Real-Time ML and Sandboxing: This is your primary defense against zero-day and previously unknown ransomware samples. WildFire analyzes the payload in a virtual environment to detect malicious behaviors and instantly generates new protections, eliminating dwell time.</P> </LI> <LI> <P data-path-to-node="11,1,0">Advanced Threat Prevention (ATP): This leverages inline machine learning models to detect malicious behaviors, exploit techniques (like process hollowing), and Command-and-Control (C2) patterns associated with ransomware activity, stopping the threat before it gets a signature.</P> </LI> <LI> <P data-path-to-node="11,2,0">Anti-Spyware/Vulnerability Protection: These profiles stop common exploit techniques and lateral movement attempts (like abusing PowerShell) frequently leveraged by LockBit affiliates during the initial stages of an attack.</P> </LI> </UL> <P>&nbsp;</P> <P data-path-to-node="13">Ransomware mitigation is less about a single setting and more about a unified security posture. We strongly recommend following our best practice guidelines:</P> <UL data-path-to-node="14"> <LI> <P data-path-to-node="14,0,0">Enable Decryption: You cannot stop threats you cannot see. Enable SSL/TLS decryption for high-risk and medium-risk traffic to inspect the encrypted payload delivery and C2 communications.</P> </LI> <LI> <P data-path-to-node="14,1,0">Aggressive Security Profiles: Ensure all Security Profiles are set aggressively (e.g., <I>Block</I> actions) for:</P> <UL data-path-to-node="14,1,1"> <LI> <P data-path-to-node="14,1,1,0,0">File Blocking: Block the download/upload of high-risk executable files (PE files) and multi-level encoded files.</P> </LI> <LI> <P data-path-to-node="14,1,1,1,0">URL Filtering: Block all malicious URL categories (Malware, Phishing, Command-and-Control, Ransomware).</P> </LI> </UL> </LI> <LI> <P data-path-to-node="14,2,0">Policy Best Practices: Apply the full set of Security Profiles (Anti-Spyware, Vulnerability Protection, Antivirus, WildFire Analysis, URL Filtering) to all relevant Allow rules to ensure comprehensive scanning of allowed applications.</P> </LI> </UL> <P data-path-to-node="15">For detailed steps on hardening your security profiles, please review the official documentation:</P> <UL data-path-to-node="16"> <LI> <P data-path-to-node="16,0,0"><A class="ng-star-inserted" href="https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles" target="_blank" rel="noopener">Best Practice Internet Gateway Security Policy</A></P> </LI> </UL> <P>&nbsp;</P> Thu, 04 Dec 2025 15:49:03 GMT https://live.paloaltonetworks.com/t5/general-topics/threat-protection-coverage-for-lockbit-5-0/m-p/1243172#M125650 kiwi 2025-12-04T15:49:03Z