Ransomware Prevention / Detection / Response Resources

There are many articles, guides, and resources available across various Palo Alto Networks properties to guide users on how to best protect their organizations from ransomware. After spending some time to find many of them, I thought I would share with everyone.

High level from what I could find there were a few high level recommendations from resources like Unit 42:

1. Block network-borne ransomware (NGFW + Security subscriptions)

Someone made a great write up on the knowledge base about best practices for general ransomware prevention. Unit42 as well seems to publish research on specific attackers like (ex: Darkside) which give more specific guidance. If you read the first link, you'll see there are several action items to take and I've tried to link documentation and best practice pages as best I can for these:

• Decrypt traffic where possible for visibility (Best Practices)

• Attackers can move around infra to change source IPs, harder to change tools - often need to see into the body of traffic to detect effectively

• Use file blocking profiles to block unneeded, malicious payload types

• For file types allowed, follow Wildfire Best Practices

• Enable DNS Security on firewalls

• 80% of malware uses it in some way -> C2, Exfil
• Sinkhole traffic to tag and then reduce access of infected hosts

• Leverage vulnerability protection profiles

• Overall best practices
• Specific to Exploit Kits and Phishing
• Attach (at a minimum) to all internet traffic policies
• Optimally E-W as well where possible to prevent lateral spread
• Leverage EDLs to block known bad IPs and domains
• Keep up to date on all content packages

2. Prevent Ransomware on endpoint with Cortex XDR

• Cortex Endpoint Protection Modules
• Anti-ransomware
• Local (static) Analysis + Wildfire (dynamic and sandboxing)
• Windows, Mac, and Linux look to be supported by 1 or both of above
• Make sure these modules are enabled

3. Leverage SOAR to quickly respond & automate hunting for threats

SOAR platforms and playbooks are great to document and automate responses. Cortex XSOAR has a lot of OOTB content and playbooks for certain scenarios which can be great references (even if you can't get a SOAR tool in your arsenal today). Ransomware is one of these. Full documentation here.

4. Contain and recover with experts on hand

In addition to products, Palo Alto Networks is doing a lot of work in consulting, services, etc these days to be a full partner to customers and not just a tech vendor. Below are some links to a bunch of the services available - one of which is a Ransomware Readiness to look at current state of an org and map a path to be ready to fight off ransomware attacks.

• Proactive
• Proactive Assessments - "who can help me understand my risk/posture"
• 3rd Party risk assessments (partners and acquisitions): "How do I know my business partner / potential acquisition has a clean house?"
• Ransomware Readiness: "If I suffer a ransomware attack, how can I make sure it won't impact my operations & I won't be forced to pay?"
• Breach Readiness: "Do I have my response procedures planned, documented, and ready to go if we suffer a breach so that we can mitigate damage?"
• Threat Intel and Briefings "who can keep me up to date on current trends in the threat landscape so I know what to be looking for?"
• Reactive
• Find out if you have been compromised: "How do I know if recent attack XXXX affects/affected me?"
• Investigate Advanced Persistent Threats in your environment: "How do I confirm if a sneaky threat actor is or is not already lurking in my business waiting for the right moment?"
• Incident Response Retainers - 'If I get breached who will help me"
• Remediate Business Email Compromise: "How do I quickly respond to this specific type of attack?"

Finally, an excellent general resource (as linked in the comments below) is the Unit42 Incident Response and Data Breach Report, which goes into great detail about major trends and action plans to mitigate (including but not limited to Ransomware).