Ransomware | Marketplace

Details
Content
Dependencies
Version History

This pack is used to identify, investigate, and contain ransomware attacks.

When a ransomware attack is detected, for example by your endpoint protection service, this pack can help you better understand your position and exposure against the threat actor group by collecting the needed information from your environment, performing the required investigation steps, containing the incident, and visualizing the data with its custom Post Intrusion Ransomware layout.

What does this pack do?

The main features of the semi-automated Post Intrusion Ransomware Investigation playbook included in the pack are:

Performs automated user and host data enrichment.
Performs automated endpoint isolation and user revocation.
Provides guidance to retrieve the necessary files to identify the ransomware strain.
Extracts indicators from the ransomware note, including cryptocurrency and onion addresses.
Provides guidance on additional recommended investigation steps such as endpoint forensics, searching for more infected endpoints, and investigating activities of the infected user.
Performs Active Directory forensics.
Automatically blocks malicious indicators.
As part of this pack, you will get out-of-the-box playbook, incident type, incident fields and a layout to display all of the information gathered during the ransomware investigation performed by the playbook.

Integrations

Integrations required for this pack.

Fetch incidents integration: the integration you are using to fetch and ingest ransomware incidents, for example, Palo Alto Networks Cortex XDR.
Active Directory Query V2 - (see the documentation)
Rasterize - (see the documentation)
Cryptocurrency - (see the documentation)
For more information, visit our Cortex XSOAR Developer Docs

What does this pack do?

The main features of the semi-automated Post Intrusion Ransomware Investigation playbook included in the pack are:

Performs automated user and host data enrichment.
Performs automated endpoint isolation and user revocation.
Provides guidance to retrieve the necessary files to identify the ransomware strain.
Extracts indicators from the ransomware note, including cryptocurrency and onion addresses.
Provides guidance on additional recommended investigation steps such as endpoint forensics, searching for more infected endpoints, and investigating activities of the infected user.
Performs Active Directory forensics.
Automatically blocks malicious indicators.
As part of this pack, you will get out-of-the-box playbook, incident type, incident fields and a layout to display all of the information gathered during the ransomware investigation performed by the playbook.

Integrations

Integrations required for this pack.

Fetch incidents integration: the integration you are using to fetch and ingest ransomware incidents, for example, Palo Alto Networks Cortex XDR.
Active Directory Query V2 - (see the documentation)
Rasterize - (see the documentation)
Cryptocurrency - (see the documentation)
For more information, visit our Cortex XSIAM Developer Docs

Automations

Name	Description
RansomwareHostWidget	Entry widget that returns the number of affectefd hosts in a Post Intrusion Ransomware incident.
RansomwareDataEncryptionStatus	A Widget script - checks for the data encryption status in post ransomware investigation playbook and layout.

Incident Fields

Name	Description
Ransomware Note
Ransomware Cryptocurrency Address	Ransomware Cryptocurrency Address
Ransomware Approximate Number Of Encrypted Endpoints
Ransomware Data Encryption Status
Ransomware Cryptocurrency Address Type	Type of the Cryptocurrency
Ransomware Encrypted File Owner	User who encrypted the files across the domain
Ransomware Strain	Strain of the ransomware
Ransomware Recovery Tool
Ransomware Email	Email address for communication with the ransomware operators group
Ransomware Onion Address	Onion service address for communication with the ransomware operators group

Incident Types

Name	Description
Post Intrusion Ransomware
Ransomware

Layouts

Name	Description
Post Intrusion Ransomware	Post Intrusion Ransomware Incident layout

Playbooks

Name	Description
Ransomware Playbook - Manual	Master playbook for ransomware incidents. This playbook is a manual playbook.
Post Intrusion Ransomware Investigation	Provides the first step in the investigation of ransomware attacks. The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database. You will be guided with further investigation steps throughout the playbook, some of the key features are: Encrypted file owner investigation Endpoint forensic investigation Active Directory investigation Timeline of the breach investigation Indicator and account enrichment Playbook settings and mapping: For the full operation of the playbook, the following data should be mapped to the relevant incident fields. Username - Usernames (common incident field) Hostname - Hostnames (common incident field)

Name

Description

Ransomware Playbook - Manual

Master playbook for ransomware incidents. This playbook is a manual playbook.

Post Intrusion Ransomware Investigation

Provides the first step in the investigation of ransomware attacks.
The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database.
You will be guided with further investigation steps throughout the playbook, some of the key features are:

Encrypted file owner investigation
- Endpoint forensic investigation
- Active Directory investigation
- Timeline of the breach investigation
- Indicator and account enrichment

Playbook settings and mapping:
For the full operation of the playbook, the following data should be mapped to the relevant incident fields.
Username - Usernames (common incident field)
Hostname - Hostnames (common incident field)

Automations

Name	Description
RansomwareHostWidget	Entry widget that returns the number of affectefd hosts in a Post Intrusion Ransomware incident.
RansomwareDataEncryptionStatus	A Widget script - checks for the data encryption status in post ransomware investigation playbook and layout.

Incident Fields

Name	Description
Ransomware Approximate Number Of Encrypted Endpoints
Ransomware Strain	Strain of the ransomware
Ransomware Cryptocurrency Address	Ransomware Cryptocurrency Address
Ransomware Note
Ransomware Data Encryption Status
Ransomware Onion Address	Onion service address for communication with the ransomware operators group
Ransomware Cryptocurrency Address Type	Type of the Cryptocurrency
Ransomware Email	Email address for communication with the ransomware operators group
Ransomware Recovery Tool
Ransomware Encrypted File Owner	User who encrypted the files across the domain

Incident Types

Name	Description
Ransomware
Post Intrusion Ransomware

Playbooks

Name	Description
Ransomware Playbook - Manual	Master playbook for ransomware alerts. This playbook is a manual playbook.
Post Intrusion Ransomware Investigation	Provides the first step in the investigation of ransomware attacks. The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database. You will be guided with further investigation steps throughout the playbook, some of the key features are: Encrypted file owner investigation Endpoint forensic investigation Active Directory investigation Timeline of the breach investigation Indicator and account enrichment Playbook settings and mapping: For the full operation of the playbook, the following data should be mapped to the relevant alert fields. Username - Usernames (common alert field) Hostname - Hostnames (common alert field)

Name

Description

Ransomware Playbook - Manual

Master playbook for ransomware alerts. This playbook is a manual playbook.

Post Intrusion Ransomware Investigation

Encrypted file owner investigation
- Endpoint forensic investigation
- Active Directory investigation
- Timeline of the breach investigation
- Indicator and account enrichment

Playbook settings and mapping:
For the full operation of the playbook, the following data should be mapped to the relevant alert fields.
Username - Usernames (common alert field)
Hostname - Hostnames (common alert field)

Required Content Packs (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

Optional Content Packs (5)

Pack Name	Pack By
Active Directory Query	By: Cortex XSOAR
Gmail	By: Cortex XSOAR
Gmail Single User	By: Cortex XSOAR
Mail Sender (New)	By: Cortex XSOAR
Microsoft Graph Mail	By: Cortex XSOAR

All level dependencies (8)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

1.0.12 - 938811 (April 7, 2024)

Scripts

RansomwareDataEncryptionStatus

Updated the Docker image to: demisto/python3:3.10.14.91134.

RansomwareHostWidget

Updated the Docker image to: demisto/python3:3.10.14.91134.

Related pull requests:
- 33641
- 33516
- 33519
- 33515
- 33329
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458
- 33535
- 33534
- 33537
- 33552
- 33580
- 33553
- 33418
- 33583
- 33555
- 33556
- 33559
- 33560
- 33619
- 33591
- 33602
- 33600
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458

Download

1.0.11 - R5692327 (July 5, 2023)

Playbooks

Post Intrusion Ransomware Investigation

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines whether to block the indicators automatically or manually using the Block Indicators - Generic v3 sub-playbook. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines whether blocking IPs is should be done with or without user verification. The IPs blocking is done by using the Block Indicators - Generic v3 sub-playbook. (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 26983

Download

1.0.10 - R5170573 (May 2, 2023)

Layouts

Post Intrusion Ransomware
This item is no longer supported in XSIAM.

Related pull requests:
- 24222

Download

1.0.9 - R3917401 (October 26, 2022)

Incident Fields

Maintenance and stability enhancements for the following fields:

Ransomware Onion Address
Ransomware Cryptocurrency Address
Ransomware Email
Ransomware Cryptocurrency Address Type

Related pull requests:
- 16777

Download

1.0.8 - R2146019 (December 21, 2021)

Playbooks

Post Intrusion Ransomware Investigation

Updated a sub-playbook name in 2 tasks.

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	November 9, 2020
Last Release	April 7, 2024

Malware

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.