topic Analysis ransomware in General Topics

Analysis ransomware

BigPalo — Thu, 01 Aug 2019 12:04:32 GMT

Hi,

One of our servers have been infected by any kind of ransomware. We can see several files encripted. So we are seeing any evidence about the infection in the PA. The only trace that we saw in PA is that the infected server sends many dns sessions to strange domains:

S is there any way to prevent these external dns sessions? are these sessions related with ransomware virus?

I tried to find the ID in spyware profile in order to chenge the action from alert (current) to drop) but i cant not find it.

any advice to know what it happened and solved it in future?

Re: Analysis ransomware

reaper — Thu, 01 Aug 2019 13:42:52 GMT

you should enable DNS sinkhole in the antispyware profile, and if you're on PAN-OS 9.0 you can consider adding the DNS security service

protectionwise it would be good to have full protection profiles (AV, TP, AS, WF, URL) set up on all your policies on the firewall , and traps on the endpoint to defend against 0-day

you could also look into running a BPA to tighten up your security posture

Re: Analysis ransomware

Brandon_Wertz — Thu, 01 Aug 2019 16:35:41 GMT

To make suggestions relevant to your environment we'll need a lot more information about your device config (security policy and other subscription services you have and how they're configured.)

That said, like @reaper mentioned using the BPA to shore up your config. To help prevent this in the future you should make sure you're using file blocking profiles to at least track all files devices on your network are downloading from the Internet. You should also look into blocking file types which hosts typically have no business downloading from the Internet.(VBS for instance.) You can look into implementing GEO blocking which will help prevent some infections. Make sure you have SSL decryption deployed in your environment to help add visibility in your firewall to catch potentially malicious payload which is delivered via an encrypted session.

Before making any changes though be sure to understand what you're looking at blocking and making sure there aren't any business processes which might be impacted from any changes you might make.

Re: Analysis ransomware

BigPalo — Fri, 02 Aug 2019 08:10:34 GMT

Is there any way to change the default action (Alert) for "Spyware generic"? I tried to look but i cant not find it

Re: Analysis ransomware

OtakarKlier — Fri, 02 Aug 2019 20:49:58 GMT

Hello,

You can set exceptions. However I would recommend using the criticallity as a best practice.

Also as described above, set up DNS sinkhole as well as wildfire. If you setup packet capture, you might only get the DNS requests. You can use a free safe DNS source such as quad9 until you are comfortable with purchasing one. This service is not a replacement for sinkhole, it is a compliment to it.