11-28-2025 01:44 AM
Hi All,
We like to have clarification regarding the current threat protection capabilities of Palo Alto Networks firewalls against LockBit 5.0 ransomware, which has been reported as a newly emerging variant around September 2025.
Upon reviewing the ThreatVault database, we found several existing threat signatures related to LockBit (e.g., Trojan/Win32.lockbit.dp, LockBit Ransomware Powershell Script File Detection, DNS-based signatures, etc.). However, these signatures appear to have been released prior to September 2025, with the latest update we observed dated 21 January 2025. This indicates that they likely correspond to earlier variants of LockBit (e.g., v2.0 / v3.0 / v4.0).
We would like to seek clarification on the following:
thank you
12-04-2025 07:49 AM
Hi @Fariq_Zaidi ,
Protection against known components of LockBit 5.0 is delivered via our regular content updates, which include specific Antivirus (AV) and Vulnerability Protection signatures.
You can verify the latest coverage by checking the ThreatVault database for these and related signatures (released September 2025):
Relying on signatures alone is insufficient for modern ransomware. LockBit 5.0 is designed for evasion (e.g., using a two-stage payload and API unhooking), which is why defense strategy should focused on behavioral and machine learning analysis:
WildFire Real-Time ML and Sandboxing: This is your primary defense against zero-day and previously unknown ransomware samples. WildFire analyzes the payload in a virtual environment to detect malicious behaviors and instantly generates new protections, eliminating dwell time.
Advanced Threat Prevention (ATP): This leverages inline machine learning models to detect malicious behaviors, exploit techniques (like process hollowing), and Command-and-Control (C2) patterns associated with ransomware activity, stopping the threat before it gets a signature.
Anti-Spyware/Vulnerability Protection: These profiles stop common exploit techniques and lateral movement attempts (like abusing PowerShell) frequently leveraged by LockBit affiliates during the initial stages of an attack.
Ransomware mitigation is less about a single setting and more about a unified security posture. We strongly recommend following our best practice guidelines:
Enable Decryption: You cannot stop threats you cannot see. Enable SSL/TLS decryption for high-risk and medium-risk traffic to inspect the encrypted payload delivery and C2 communications.
Aggressive Security Profiles: Ensure all Security Profiles are set aggressively (e.g., Block actions) for:
File Blocking: Block the download/upload of high-risk executable files (PE files) and multi-level encoded files.
URL Filtering: Block all malicious URL categories (Malware, Phishing, Command-and-Control, Ransomware).
Policy Best Practices: Apply the full set of Security Profiles (Anti-Spyware, Vulnerability Protection, Antivirus, WildFire Analysis, URL Filtering) to all relevant Allow rules to ensure comprehensive scanning of allowed applications.
For detailed steps on hardening your security profiles, please review the official documentation:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
