Ransomware Prevention / Detection / Response Resources

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Ransomware Prevention / Detection / Response Resources

L1 Bithead

There are many articles, guides, and resources available across various Palo Alto Networks properties to guide users on how to best protect their organizations from ransomware. After spending some time to find many of them, I thought I would share with everyone.


High level from what I could find there were a few high level recommendations from resources like Unit 42:


1. Block network-borne ransomware (NGFW + Security subscriptions)


Someone made a great write up on the knowledge base about best practices for general ransomware prevention. Unit42 as well seems to publish research on specific attackers like (ex: Darkside) which give more specific guidance. If you read the first link, you'll see there are several action items to take and I've tried to link documentation and best practice pages as best I can for these:


  • Attackers can move around infra to change source IPs, harder to change tools - often need to see into the body of traffic to detect effectively



  • 80% of malware uses it in some way -> C2, Exfil
  • Sinkhole traffic to tag and then reduce access of infected hosts



  • Leverage vulnerability protection profiles



2. Prevent Ransomware on endpoint with Cortex XDR



  • Cortex Endpoint Protection Modules
    • Anti-ransomware
    • Local (static) Analysis + Wildfire (dynamic and sandboxing)
  • Windows, Mac, and Linux look to be supported by 1 or both of above
  • Make sure these modules are enabled


3. Leverage SOAR to quickly respond & automate hunting for threats


SOAR platforms and playbooks are great to document and automate responses. Cortex XSOAR has a lot of OOTB content and playbooks for certain scenarios which can be great references (even if you can't get a SOAR tool in your arsenal today). Ransomware is one of these. Full documentation here.


4. Contain and recover with experts on hand


In addition to products, Palo Alto Networks is doing a lot of work in consulting, services, etc these days to be a full partner to customers and not just a tech vendor. Below are some links to a bunch of the services available - one of which is a Ransomware Readiness to look at current state of an org and map a path to be ready to fight off ransomware attacks.



Finally, an excellent general resource (as linked in the comments below) is the Unit42 Incident Response and Data Breach Report, which goes into great detail about major trends and action plans to mitigate (including but not limited to Ransomware).



L5 Sessionator

Adding to this thread with the incident response firm, CrypSis, and their 2020 incident report found here. 


Many great tidbits of information in here, from their largest observed entry vectors, threat actor groups, most targeted services, etc.. Beyond the Palo platform, there's lots of general networking best practice guidelines in the report. 

Help the community! Add tags and mark solutions please.

great share @LAYER_8  - I'm going to edit the original post to include this. thanks

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!