Maze Ransomeware Coverage

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Maze Ransomeware Coverage

L3 Networker

Hi Team,

 

Please let us know the coverage against for Ransomware-Maze under threat in our Palo Alto IPS.

 

Best Regards,

Sahul Hameed

7 REPLIES 7

Cyber Elite
Cyber Elite

@SahulH,

There's a number of signatures that are specific to Maze. There's 18 Antivirus signatures, 14 DNS signatures, and 3 WildFire signatures that are specific to the Maze ransomware. That doesn't count all of the more generic droppers that would be caught under non-specific signatures. 

 

The bigger question I always have when a customer brings this up is if they actually have full visability into the traffic? Are you actively decrypting all traffic, are you enforcing file blocking, have you verified that all of your external traffic is actually configured with a security profile that inspects the traffic? 

Your firewall can only do so much to prevent malicious files from making it to your client machines. So I would ensure that you have something with proper ransomware protections such as Cortex XDR (formally Traps) so that if anything does make it to an endpoint (or an endpoint downloads a malicious file while not behind your firewall) that threat is identified and stopped. 

@BPryHi BPry,

 

Thanks for your response and we do have the decryption policy and also configured the Security profile on the outbound traffics.

 

Is it possible for you to share me with the Application, DNS, Wildfire Signature ID for my reference which you have mentioned below.

 

Awaiting for your response.

 

Best Regards,

Sahul Hameed

Hi @BPry 

 

Awaiting for your update. Please find the additional details below and help us with the Signature Details.

 

We have deployed PA firewall into L2 mode with “Threat prevention” feature.
Requesting you to kindly mentioned the AV signature set version and signature details.

I hope these are the signatures are already kept in blocking mode, ne need to do manually block on PA ?

 

Best Regards,

Sahul Hameed

@BPry 

Could you provide more details for these signature (There's 18 Antivirus signatures, 14 DNS signatures, and 3 WildFire signatures that are specific to the Maze ransomware. ) so that we can block it on PA firewalls?

@Timfw123 

 

In order to get the Signature details. Please visit to Palo Alto Threat website (https://threatvault.paloaltonetworks.com/) and then search for Maze

 

Please refer to below snap for your reference. I do find the same from here.

 

SahulH_0-1587454518599.jpeg

 

Hope this information will helps you as well.

 

Note: In order to block those vulnerability Signature you need to map the Security Profiles on all the Security rules which are allowing the traffics.

 

Best Regards,

Sahul Hameed

HEllo,

In regards to your question:

"We have deployed PA firewall into L2 mode with “Threat prevention” feature.
Requesting you to kindly mentioned the AV signature set version and signature details.

I hope these are the signatures are already kept in blocking mode, ne need to do manually block on PA ?"

 

That depends on your policies. If you policies are setup to detect/block, then you should be good provided you have the proper licenses and are performing dynamic updates making sure your PAN has the most up to date signatures.

 

Regards,

L0 Member

hi palo alto team can we get sent  wildfire report  maze ransomeware

 

  • 5823 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!