New Advanced URL Filtering/PANDB Category: Ransomware

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L2 Linker

Screen Shot 2022-09-29 at 9.37.31 AM.png

Ransomware

Starting September 27, 2022, Palo Alto Networks will start publishing URLs into the newly introduced category  “Ransomware” available with content release version 8592 and above.

 

ACTION: Action will be required. Ransomware category action is set to “block” only for the default profile. If you have multiple URL Filtering Security profiles, you need to update the default action to BLOCK for each of these profiles.

 

How is Ransomware defined?

Palo Alto Networks defines Ransomware as websites known to host ransomware or malicious traffic involved in conducting ransomware campaigns that generally threaten to publish private data or keep access to specific data or systems blocked, usually by encrypting it, until the demanded ransom is paid.

 

Will the “Ransomware” category be visible across all PAN-OS versions?

Yes. It is, however, only supported on PAN-OS 9.1 and above. For PAN-OS version 9.0 and below, Ransomware detections will be covered under the category “Malware”.

Note: The “Ransomware” category cannot be used in PAN-OS 9.0 or below.  It is visible on the GUI as a setting even in PAN-OS 9.0 or below. However, no URL will ever be identified as "Ransomware" category in PAN-OS 9.0 or below.

 

When will the “Ransomware” category be functional?

Starting September 27, 2022, Palo Alto Networks will start publishing URLs that are categorized as ransomware. Please ensure that your security policy rules are configured properly for this new category.  

 

Note: Ransomware category functionality will only be supported on PAN-OS versions 9.1 onwards. For PAN-OS version 9.0 and below, ransomware detections will be covered under the Malware category.

 

What is the recommended action for the “Ransomware” category?

Similar to the command-and-control (C2) and malware categories, ransomware attacks pose a serious threat to users and businesses, therefore Palo Alto Networks recommends customers to keep the default action for this category set to “BLOCK”.

Note: The ransomware category action is set to “block” only for the default profile.  

 

ACTION: If you have multiple URL Filtering security profiles, you need to update the default action to “BLOCK” for each of these profiles.

 

What is the Palo Alto Networks test URL for Ransomware?

The test URL for ransomware is http://urlfiltering.paloaltonetworks.com/test-ransomware

 

Does this new category impact me?

Yes. The ransomware category action is only set to “block” for the default profile. If you have multiple URL Filtering security profiles, you need to update the default action to “BLOCK” for each of these profiles.

 

Additional Information

For more information on best practices when managing URL Filtering categories, check out these resources:

URL Filtering Category Recommendations

Complete List of PAN-DB URL Filtering Categories

 

 
14 Comments
L0 Member

i've cheched on my firewall for the new url category, but i can't find on the url list, the update is installed.

L1 Bithead

Is this new category only available with the advance URL subscription?  

L2 Linker

any update on two questions above? can't see the category either and would like to know if related to advanced URL subscription. We have that license but can't see it on panorama to edit policies......some advice on this matter would be helpful! Thanks.

L2 Linker

ahh looks like i had to have the very latest signature....was running 8590-7462 before updating to 8592-7467 on Panorama and i can see the category now in URL filtering profile.

L0 Member

This morning the new category comes out, i think it's related with the instllation of the version 7467 of the application

L2 Linker

What URL categories would these URLs have previously been categorised as?

Also, what URL categories will these URLs be categorised as without the Advanced URL Filtering licence?

L1 Bithead

This new URL category is available for Advanced and standard PANDB subscribers.  Thats good news!  I thought it was only going to be available in the Advanced subscription.

L1 Bithead

Please , PANW can confirm us if this URL Category will be applicable with PAN-DB URL Filtering standard license? 

L0 Member

Why did Palo Alto released this update on PANOS and set it to "Allow" instead of "Block" by default? Can you make changes on your next update to set it to "Block" so we don't to manually our URL filtering? I hope Palo Alto will address this concern. Thank you!

L3 Networker

As I had the same concern and I always like to by prepared, please check this helper Tool, to avoid manual changes in specific if you have a huge Panorama configuration file, with a big amount of url-filtering SecurityProfiles:

https://github.com/PaloAltoNetworks/pan-os-php

pan-os-php type=securityprofile in=api://MGMT-IP location=any securityProfileType=url-filtering 'filter=(allow has ransomware)' actions=url-filtering-action-set:block,ransomware

My recommendation is use PAN-OS-PHP Docker Container:
https://github.com/PaloAltoNetworks/pan-os-php/blob/main/READMEdocker.md#deploy-pan-os-php-with-dock...

L2 Linker

Ransomware category is included with both PANDB and Adv URL filtering license. 

L1 Bithead

I was curious on opinions about how to test this new category for false positives. Is everyone just setting it to block in their labs and then running it against critical domains?

 

Also, is this category going to be mostly populated with URLs that are shifted over from existing categories - like malware?

 

Thanks.

L2 Linker

@tcervellione I wouldn't worry about false positives. These can be managed far easier than actual ransomware attacks. 😉

L1 Bithead

Is there a way to get a dump of what is in the current list?

  • 228488 Views
  • 14 comments
  • 6 Likes
Register or Sign-in
Labels
Top Liked Authors