Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3389
Views
5
Helpful
3
Replies

Using AMP to protect from DarkSide Crypto Ransomeware

Go to solution
jtrai4911
Level 1
Level 1

‎03-26-2021 08:03 AM

We recently had a new client get hit with the DarkSide Crypto Ransomware that came from inside their network. We found some vulnerabilities on their servers that the client had setup and ended them in this situation. My manager asked me to look into AMP to see if there are settings within AMP that might have protected their servers as well as their workstations.

 

I have some knowledge of AMP for Endpoints with setting up the basics on workstations. The clients we have are mostly smaller clients and are using AMP to protect workstations. The larger clients are either maintained by their internal IT departments and our mid-sized are maintained by our Cisco engineers.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎03-26-2021 07:13 PM

Hi,

 

If you have AMP installed on those new clients and recommended engines running in the AMP policies, then AMP must have provided protections against the DarkSide Crypto Ransomware as Cisco TALOS already has detection against the same from last year.

Please search on the TALOS website for the given SHA-256 value for the Ransomware and you will be able to get the information on the detection as below:

https://talosintelligence.com/sha_searches

SHA-256: 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297

Please refer to the attached screenshot.

 

Also, please refer to the below Deployment Strategy guide for the policy settings recommendations for your servers and workstations:

https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20Deployment%20Strategy.pdf

 

I hope the above helps!

 

Cheers,

Pratham

 

 

View solution in original post

Preview file
214 KB
0 Helpful
3 Replies 3

Go to solution
Ken Stieers
VIP
VIP

‎03-26-2021 08:40 AM

Yes, AMP is appropriate to install on servers.

There are specific recommendations for servers that are in the console. You may find that you want to tweak those as they very conservative so as to not cause issues but still give you visibility as to what is executed on servers.

You could also use AMP to get a feel for what is supposed to be on those servers and set up application whitelisting so you can insure only appropriate code is running.

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎03-26-2021 07:13 PM

Hi,

 

If you have AMP installed on those new clients and recommended engines running in the AMP policies, then AMP must have provided protections against the DarkSide Crypto Ransomware as Cisco TALOS already has detection against the same from last year.

Please search on the TALOS website for the given SHA-256 value for the Ransomware and you will be able to get the information on the detection as below:

https://talosintelligence.com/sha_searches

SHA-256: 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297

Please refer to the attached screenshot.

 

Also, please refer to the below Deployment Strategy guide for the policy settings recommendations for your servers and workstations:

https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20Deployment%20Strategy.pdf

 

I hope the above helps!

 

Cheers,

Pratham

 

 

Preview file
214 KB
0 Helpful

Go to solution
jtrai4911
Level 1
Level 1
In response to ppreenja

‎03-31-2021 06:34 AM

Pratham,

 

Unfortunately this was a new client that was pulled into our data center and they did not have AMP installed. My management is looking to approach them with getting this purchased and installed on all of their servers and workstations, but needed additional information.

Thank you for the information and your time.

 

Joe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents