New Advanced URL Filtering/PANDB Category: Ransomware

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker

Screen Shot 2022-09-29 at 9.37.31 AM.png

Ransomware

Starting September 27, 2022, Palo Alto Networks will start publishing URLs into the newly introduced category  “Ransomware” available with content release version 8592 and above.

 

ACTION: Action will be required. Ransomware category action is set to “block” only for the default profile. If you have multiple URL Filtering Security profiles, you need to update the default action to BLOCK for each of these profiles.

 

How is Ransomware defined?

Palo Alto Networks defines Ransomware as websites known to host ransomware or malicious traffic involved in conducting ransomware campaigns that generally threaten to publish private data or keep access to specific data or systems blocked, usually by encrypting it, until the demanded ransom is paid.

 

Will the “Ransomware” category be visible across all PAN-OS versions?

Yes. It is, however, only supported on PAN-OS 9.1 and above. For PAN-OS version 9.0 and below, Ransomware detections will be covered under the category “Malware”.

Note: The “Ransomware” category cannot be used in PAN-OS 9.0 or below.  It is visible on the GUI as a setting even in PAN-OS 9.0 or below. However, no URL will ever be identified as "Ransomware" category in PAN-OS 9.0 or below.

 

When will the “Ransomware” category be functional?

Starting September 27, 2022, Palo Alto Networks will start publishing URLs that are categorized as ransomware. Please ensure that your security policy rules are configured properly for this new category.  

 

Note: Ransomware category functionality will only be supported on PAN-OS versions 9.1 onwards. For PAN-OS version 9.0 and below, ransomware detections will be covered under the Malware category.

 

What is the recommended action for the “Ransomware” category?

Similar to the command-and-control (C2) and malware categories, ransomware attacks pose a serious threat to users and businesses, therefore Palo Alto Networks recommends customers to keep the default action for this category set to “BLOCK”.

Note: The ransomware category action is set to “block” only for the default profile.  

 

ACTION: If you have multiple URL Filtering security profiles, you need to update the default action to “BLOCK” for each of these profiles.

 

What is the Palo Alto Networks test URL for Ransomware?

The test URL for ransomware is http://urlfiltering.paloaltonetworks.com/test-ransomware

 

Does this new category impact me?

Yes. The ransomware category action is only set to “block” for the default profile. If you have multiple URL Filtering security profiles, you need to update the default action to “BLOCK” for each of these profiles.

 

Additional Information

For more information on best practices when managing URL Filtering categories, check out these resources:

URL Filtering Category Recommendations

Complete List of PAN-DB URL Filtering Categories

 

 
14 Comments
  • 237361 Views
  • 14 comments
  • 6 Likes
Register or Sign-in
Labels