This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Noa_Moe
Participant
‎2021-10-19 01:10 PM
Jump to solution

IPS Signature for BlackMatter Ransomware

Hello, does anyone know if there is an IPS Signature already made for Checkpoint we can download in our normal IPS updates for the BlackMatter Ransomware? 

https://us-cert.cisa.gov/ncas/alerts/aa21-291a

Or can we do a custom one with the info in the US Cert article?

 

Detection signature.JPG
Preview file
64 KB
0 Kudos
2 Solutions

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2021-10-19 05:38 PM
Jump to solution

There are no IPS signatures for any ransomware types, that falls into the domain of the Anti-virus blade which has several signatures for Black Matter.  You will want to use those if you have the Anti-Virus blade enabled. 

While IPS was kind of the "original Threat Prevention" and had lots of signatures for things like eDonkey/Gator/Nimda and such, all that got cleaned up in R80 as many IPS signatures got migrated into the "proper" blades as described here: sk103766: List of IPS Protections removed in R8X.x.  Although IPS still has  a signature for the EICAR test virus to this day which I find perplexing...

But anyway if you can't or don't want to use the Anti-Virus blade for this, your best bet is to create a custom SNORT signature for your IPS blade matching Black Matter, I'm sure you could probably locate the proper SNORT rule(s) for it with a bit of research.  All of the above is covered in my new IPS/AV/ABOT Immersion video series as well as Custom Threat Indicators (strongly preferred over the much older SNORT-based signatures) which you can't use in this case because they only function with AV and ABOT.

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

Timothy_Hall
Legend Legend
Legend
‎2021-10-21 10:23 AM
In response to D_TK
Jump to solution

Go to the ThreatWiki (https://threatwiki.checkpoint.com/threatwiki/public.htm) and search for blackmatter to get the protection names:

blackmatter.png

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

5 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-10-19 05:38 PM
Jump to solution

There are no IPS signatures for any ransomware types, that falls into the domain of the Anti-virus blade which has several signatures for Black Matter.  You will want to use those if you have the Anti-Virus blade enabled. 

While IPS was kind of the "original Threat Prevention" and had lots of signatures for things like eDonkey/Gator/Nimda and such, all that got cleaned up in R80 as many IPS signatures got migrated into the "proper" blades as described here: sk103766: List of IPS Protections removed in R8X.x.  Although IPS still has  a signature for the EICAR test virus to this day which I find perplexing...

But anyway if you can't or don't want to use the Anti-Virus blade for this, your best bet is to create a custom SNORT signature for your IPS blade matching Black Matter, I'm sure you could probably locate the proper SNORT rule(s) for it with a bit of research.  All of the above is covered in my new IPS/AV/ABOT Immersion video series as well as Custom Threat Indicators (strongly preferred over the much older SNORT-based signatures) which you can't use in this case because they only function with AV and ABOT.

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
D_TK
Advisor
‎2021-10-21 10:12 AM
In response to Timothy_Hall
Jump to solution

I've been asked to show proof of protection from "blackmatter"...  is there a way to look these up the protections in AV/AB blade? not sure what they're called - i've tried w.32.blackmatter, and a few other variations, and couldn't find anything.

 

thanks.

Noa_Moe
Participant
‎2021-10-21 10:21 AM
In response to D_TK
Jump to solution

I found the BlackMatter AV protections listed in the ThreatWiki but not able to search that is was applied either. https://threatwiki.checkpoint.com/threatwiki/public.htm

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-10-21 10:23 AM
In response to D_TK
Jump to solution

Go to the ThreatWiki (https://threatwiki.checkpoint.com/threatwiki/public.htm) and search for blackmatter to get the protection names:

blackmatter.png

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Tal_Paz-Fridman
Employee
Employee
‎2021-10-22 03:07 AM
Jump to solution

Check Point Harmony Endpoint provides protection against this threat:

https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=publication&threatId=4561

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top