This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Analysis ransomware

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Analysis ransomware

BigPalo
L4 Transporter

‎08-01-2019 05:04 AM

Hi,

 

One of our servers have been infected by any kind of ransomware. We can see several files encripted. So we are seeing any evidence about the infection in the PA. The only trace that we saw in PA is that the infected server sends many dns sessions to strange domains:

 

AV.JPG

S is there any way to prevent these external dns sessions? are these sessions related with ransomware virus?

I tried to find the ID in spyware profile in order to chenge the action from alert (current) to drop) but i cant not find it.

 

any advice to know what it happened and solved it in future?

 

 

0 Likes Likes
4 REPLIES 4

reaper
Cyber Elite
Cyber Elite

‎08-01-2019 06:42 AM

you should enable DNS sinkhole in the antispyware profile, and if you're on PAN-OS 9.0 you can consider adding the DNS security service

 

protectionwise it would be good to have full protection profiles (AV, TP, AS, WF, URL)  set up on all your policies on the firewall , and traps on the endpoint to defend against 0-day

 

you could also look into running a BPA to tighten up your security posture

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to reaper

‎08-01-2019 09:35 AM

To make suggestions relevant to your environment we'll need a lot more information about your device config (security policy and other subscription services you have and how they're configured.)

 

That said, like @reaper mentioned using the BPA to shore up your config.  To help prevent this in the future you should make sure you're using file blocking profiles to at least track all files devices on your network are downloading from the Internet.  You should also look into blocking file types which hosts typically have no business downloading from the Internet.(VBS for instance.)  You can look into implementing GEO blocking which will help prevent some infections.  Make sure you have SSL decryption deployed in your environment to help add visibility in your firewall to catch potentially malicious payload which is delivered via an encrypted session.

 

Before making any changes though be sure to understand what you're looking at blocking and making sure there aren't any business processes which might be impacted from any changes you might make.

0 Likes Likes

BigPalo
L4 Transporter
In response to reaper

‎08-02-2019 01:10 AM

Is there any way to change the default action (Alert) for "Spyware generic"? I tried to look but i cant not find it

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to BigPalo

‎08-02-2019 01:49 PM

Hello,

You can set exceptions. However I would recommend using the criticallity as a best practice.

image.png

Also as described above, set up DNS sinkhole as well as wildfire. If you setup packet capture, you might only get the DNS requests. You can use a free safe DNS source such as quad9 until you are comfortable with purchasing one. This service is not a replacement for sinkhole, it is a compliment to it.

0 Likes Likes
  • 4050 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks