Ransomware is a family of malware which attempts to encrypt files on end user computers and then demands some form of e-payment to recover the encrypted files.
Ransomware is one of the more common threats in the modern threat landscape; there are many different variants, an infection can cost a lot of money to recover from, and the actors responsible for the infections are driven to generate as much revenue as possible by extorting their victims.
This article will serve as a general guideline for some best practices to help keep a network free of ransomware infections.
How Is Ransomware Delivered?
Ransomware is delivered to targets primarily through these avenues:
Exploit kits (such as Angler, or Neutrino) have been known to deliver ransomware to users by exploiting vulnerable web servers and hosting malicious web scripts on them which exploit visitors when certain criteria are met, and then delivering a malicious payload (Angler Exploit Kit article @ Unit42)
Targeted ransomware has been noted and tracked recently, in which organizations had external facing web servers compromised by malicious actors in order to gain a foothold, who proceeded to map the environment out, and deployed the file cryptor en masse. (Evolution of SamSa Malware article @ Unit42)
Preventing Ransomware Attacks — Security Profiles
PAN-OS has protections at various points in the kill-chain to address ransomware infection and keep it from entering a network. A general overview of security profiles and their purpose is available here: Security policy fundamentals
1) To combat exploit kits and known vulnerabilities, numerous Vulnerability signatures exist in PAN-OS content. In order to protect users against these exploits, usage of a "strict" vulnerability protection policy can assist and is recommended. At the very minimum, ensuring signatures are enabled with preventative action against critical severity signatures is necessary. A strict stance on vulnerability protection profiles will help prevent exploit kit exposure, and help keep external facing web servers safe from exploitation of known vulnerabilities.
In order to improve security posture we recommend creating an exception for the threat ID's below. Setting them to “deny” which would block traffic matching these signatures.
However, we recommend testing in your environment prior with an “alert” setting to ensure legitimate traffic is not blocked, although there are not many legitimate uses for .js files sent in an email.
This signature indicates a malicious MSO file is detected
This signature indicates a malicious MSO file is detected
This signature indicates a malicious MSO file is detected
This signature detects a .js .wsf or .hta file directly sent in an email
This signature detects a .js .wsf or .hta file in a ZIP folder sent in an email
For more data regarding available Vulnerability signatures, please reference ThreatVault 2.0.
2) To prevent the delivery of malicious payloads, PAN-OS has an Anti-Virus scanning engine which can inspect supported protocols on which viral content most commonly is transferred, including: http, smtp, imap, pop3, ftp, and smb. Ensuring an Anti-Virus profile with preventative action is assigned to any Security rule which permits traffic that is commonly targeted (Web browsing to the internet, and email access for example) should ideally have an Anti-Virus profile assigned to it with preventative actions configured for both the Action and Wildfire-Action column for protocols on which it is supported. (See the Prevention - Dynamic Updates section for details on what the difference is). (Antivirus Profiles)
3) URL Filtering can be configured to block access to URLs in suspicious categories such as Malware/Phishing/Unknown/Dynamic DNS/Proxy-avoidance/Questionable/Parked, which will prevent a host from reaching out via HTTP to a web server Palo Alto Networks has seen host suspicious content/malware. (From the Experts: URL filtering implementation and troubleshooting)
4) Use the File Blocking functionality of the PAN-OS appliance. PAN-OS is capable of identifying supported file types in data streams and taking action depending on how you have them configured. One common tactic of ransomware (and malware authors in general) is to stand up new infrastructure for delivery, use it for a short amount of time, and then retire it. This prevents reputational based filtering, as by the time security vendors can classify infrastructure as known malicious, clever threat actors have retired it and are operating elsewhere. One solution to this is to combine File Blocking of common malicious payload types (such as Flash, PDF, Executable, and Office documents) with a security rule with the Service/URL Category set to "Unknown" and the destination being the public internet. This effectively prevents transfer of common payload types regardless of AV detection simply because your PAN-OS device does not know the source of the file.
Please note that policy changes of this type should be carefully configured to ensure legitimate traffic is not impacted. As Palo Alto Networks cannot scan company intranet sites, it is important to make sure the URL filtering logs for Unknown category activity are reviewed before enacting a block of this kind to prevent causing a service outage for internal users. Creating custom URL categories for sites that are not currently categorized currently by the Palo Alto Networks firewall can prepare you for this step.
Additionally, it may also be relevant to consider blocking certain file types over SMTP, since a significant portion of Ransomware campaigns leverage phishing emails with malicious attachments as an infection vector.
Relevant file types include: All PE file types (exe, cpl, dll, ocx, sys, scr, drv, efi, fon, pif), HLP, LNK, CHM, BAT, VBE.
Blocking or alerting on encrypted file types can also assist in reducing exposure (encrypted-zip).
Alerting on all file types that are not blocked for visibility and log analysis can be useful.
5) Some variants of ransomware reach out to external infrastructure to receive data (such as input from stated infrastructure to generate encryption keys to encrypt your files); as such, it is important to configure an Anti-Spyware profile with a "strict" setting and ensure that it is applied to security rules in which traffic egresses to the public internet.
Additionally, the Anti-Spyware profile contains actions for when Suspicious DNS Queries are detected. The Anti-Virus and Wildfire content contains a list of domains Palo Alto Networks has identified as being potentially associated with malicious traffic; network administrators can block DNS requests to these domains with this profile, or choose to sinkhole the traffic to an internal IP address they have configured for further analysis. Truly dedicated administrators will see the potential here to do some interesting configuration; once one has hijacked DNS and redirected it to a sinkhole, standing up a web server at that IP address can allow the administrator to inspect what may have resulted from a successful DNS lookup. (How to Configure DNS Sinkhole | How to Verify DNS Sinkhole Function is Working | Video Tutorial: How to Configure DNS Sinkhole)
6) If licensed, Wildfire submissions should be configured to allow submission of supported file types to the Wildfire cloud for evaluation. This will allow the Palo Alto Networks firewall to identify new malware variants, create a signature for them, and deliver them in our content updates (See the Prevention - Dynamic Updates section for details on content delivery) (Submit Files for WildFire Analysis| Wildfire Configuration, Testing, and Monitoring )
8) Usage of SSL Decryption is an important factor to consider when implementing best practices; none of the above preventions can occur if the data streams traversing the firewall are encrypted and cannot be decrypted for inspection. Anti-Virus inspection will not function on HTTPS streams or encrypted email; URL Filtering is best effort against the common name/SNI on the certificate assigned to the web server; File Blocking cannot occur if PAN-OS cannot identify files due to the protocol they are traversing being encrypted; Wildfire submissions cannot occur if PAN-OS cannot identify supported file types for forwarding due to the protocol they are traversing being encrypted; Vulnerability and Spyware profiles cannot inspect and compare traffic against known signatures if the traffic is encrypted. This makes SSL decryption an integral part of ensuring a network does not have blind spots. (SSL decryption resource list)
9) As much as possible, allow specific application in the security rule. If possible, consider blocking 'unknown-tcp' and 'unknown-udp' traffic and create custom applications for internal applications if needed.
10) AutoFocus (autofocus.paloaltonetworks.com) can be used to better understand the behavior patterns of a particular variant of ransomware. When ransomware detonates, the artifacts it generates both on the host and network side are often unique enough to help identify which type of ransomware it is; this can include file extension of the encrypted files, format of the ransom notes that are left with recovery instructions, and C2 traffic to external web hosts, just to name a few. Reviewing common ransomware family tags in AutoFocus can illustrate what is unique to what variant and can help users understand what each variant looks like. Being armed with this knowledge will make a network administrator better armed to address a potential infection.
AutoFocus can also lend context as to what ransomwares are targeting which organizations, industries, or their peers. This can allow some measure of pro-active data gathering prior to any incident and better prepare administrators to strengthen their defenses in preparation for any future attack.
Along with properly configuring PAN-OS security profiles, ensuring that the latest content is available on the device will help keep a network safe from the latest threats. (Manage Content Updates)
Palo Alto Networks provides content in numerous forms:
For URL Filtering, PAN-DB/BrightCloud lookups occur as URLs are accessed (with caching of them that expires after a period). As such, no scheduled update is required for URL filtering.
Anti-Virus updates occur roughly once every 24 hours, publishing early AM PST (Please note that this is an estimate, and the time can shift depending on quality assurance processes). As such, configuring a PAN-OS device to update the Anti-Virus content at least once a day is recommended. Anti-Virus content contains signatures for known malicious files, and the content is generated as a result of Wildfire sandbox analysis of submitted samples. This content ties into the Anti-Virus security profile under the "Action" column.
Wildfire updates (if licensed) are available about every 15 minutes. As such, configuring a PAN-OS device to update the Wildfire content as often as possible is recommended; this will ensure the device has the latest signatures at any given time, and keep prevention capabilities up to date. This content ties into the Anti-Virus security profile in the "Wildfire Action" column.
Applications and Threats updates occur roughly once every 7 days, releasing Tuesday evening into Wednesday morning (there might be an occasional Emergency Content Update as well between two regular weekly releases). As such, configuring a PAN-OS device to update Applications and Threats at least once a week is recommended. Please note that these packages contain updates to application identification capabilities and it is recommended that administrators thoroughly review release notes to fully understand any potential impact or configuration changes required before installing the content. The "Threats" portion of this package contain updates to Vulnerability signatures (tying into the Vulnerability protection security profile) and updates to Spyware signatures (tying into the Anti-Spyware security profile).
As a closing note, it is worth mentioning that backups are the best defense against serious impact on a network that has been infected by ransomware. So long as up-to-date and secured backup data is available, remediation after infection will have significantly less strain on afflicted parties and organizations.