Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Noa_Moe
Participant

IPS Signature for BlackMatter Ransomware

Jump to solution

Hello, does anyone know if there is an IPS Signature already made for Checkpoint we can download in our normal IPS updates for the BlackMatter Ransomware? 

https://us-cert.cisa.gov/ncas/alerts/aa21-291a

Or can we do a custom one with the info in the US Cert article?

 

0 Kudos
2 Solutions

Accepted Solutions
Timothy_Hall
Champion
Champion

There are no IPS signatures for any ransomware types, that falls into the domain of the Anti-virus blade which has several signatures for Black Matter.  You will want to use those if you have the Anti-Virus blade enabled. 

While IPS was kind of the "original Threat Prevention" and had lots of signatures for things like eDonkey/Gator/Nimda and such, all that got cleaned up in R80 as many IPS signatures got migrated into the "proper" blades as described here: sk103766: List of IPS Protections removed in R8X.x.  Although IPS still has  a signature for the EICAR test virus to this day which I find perplexing...

But anyway if you can't or don't want to use the Anti-Virus blade for this, your best bet is to create a custom SNORT signature for your IPS blade matching Black Matter, I'm sure you could probably locate the proper SNORT rule(s) for it with a bit of research.  All of the above is covered in my new IPS/AV/ABOT Immersion video series as well as Custom Threat Indicators (strongly preferred over the much older SNORT-based signatures) which you can't use in this case because they only function with AV and ABOT.

 

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

Timothy_Hall
Champion
Champion

Go to the ThreatWiki (https://threatwiki.checkpoint.com/threatwiki/public.htm) and search for blackmatter to get the protection names:

blackmatter.png

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

5 Replies
Timothy_Hall
Champion
Champion

There are no IPS signatures for any ransomware types, that falls into the domain of the Anti-virus blade which has several signatures for Black Matter.  You will want to use those if you have the Anti-Virus blade enabled. 

While IPS was kind of the "original Threat Prevention" and had lots of signatures for things like eDonkey/Gator/Nimda and such, all that got cleaned up in R80 as many IPS signatures got migrated into the "proper" blades as described here: sk103766: List of IPS Protections removed in R8X.x.  Although IPS still has  a signature for the EICAR test virus to this day which I find perplexing...

But anyway if you can't or don't want to use the Anti-Virus blade for this, your best bet is to create a custom SNORT signature for your IPS blade matching Black Matter, I'm sure you could probably locate the proper SNORT rule(s) for it with a bit of research.  All of the above is covered in my new IPS/AV/ABOT Immersion video series as well as Custom Threat Indicators (strongly preferred over the much older SNORT-based signatures) which you can't use in this case because they only function with AV and ABOT.

 

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

D_TK
Contributor

I've been asked to show proof of protection from "blackmatter"...  is there a way to look these up the protections in AV/AB blade? not sure what they're called - i've tried w.32.blackmatter, and a few other variations, and couldn't find anything.

 

thanks.

Noa_Moe
Participant

I found the BlackMatter AV protections listed in the ThreatWiki but not able to search that is was applied either. https://threatwiki.checkpoint.com/threatwiki/public.htm

0 Kudos
Timothy_Hall
Champion
Champion

Go to the ThreatWiki (https://threatwiki.checkpoint.com/threatwiki/public.htm) and search for blackmatter to get the protection names:

blackmatter.png

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

Tal_Paz-Fridman
Employee
Employee

Check Point Harmony Endpoint provides protection against this threat:

https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=publication&threatId=4561

 

0 Kudos