Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
500
Views
1
Helpful
1
Replies

Updating ransomware hashes in Cisco FTD to block ransomwares

gayansa.samarakoon
Level 1
Level 1

‎08-14-2024 06:41 AM

Hi All,

I would really appreciate your help regarding below issue.

I have received below hashes and we would like to update those hashes in FTD to block this qilin ransomware. Please let me know steps I should follow to update these hashes in the firewall.

Time/Date IOC occurredIOC (SHA-256)IOC TypeContext on why the IOC is suspicious/malicious 
    
NAe90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527Fileqilin.exe
NA73b1fffd35d3a72775e0ac4c836e70efefa0930551a2f813843bdfb32df4579aFile73b1fffd35d3a_edr72775e0ac4c836e70efefa0930551a2f813843bdfb32df4579aXxX17Exe.exe
NA55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1FileAgendaRansomware.exe
NA37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6File37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
NAf837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cbFilef837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb.exe
NA555964b2fed3cced4c75a383dd4b3cf02776dae224f4848dcc03510b1de4dbf4File555964b2fed3cced4c75a383dd4b3cf02776dae224f4848dcc03510b1de4dbf4.elf
NA76f860a0e238231c2ac262901ce447e83d840e16fca52018293c6cf611a6807eFile1.exe
NA117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464Fileenc.exe
NAae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6eFileae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.bin
NAcd27a31e618fe93df37603e5ece3352a91f27671ee73bdc8ce9ad793cad72a0fFilecd27a31e618fe93df37603e5ece3352a91f27671ee73bdc8ce9ad793cad72a0f_unpacked
NA28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fabFilepwndll.dll
NAfd7cbadcfca84b38380cf57898d0de2adcdfb9c3d64d17f886e8c5903e416039Filesvchost.exe
NAe4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342Filee4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342.bin
NA0629cd5e187174cb69f3489675f8c84cc0236f11f200be384ed6c1a9aa1ce7a1File0629cd5e187174cb69f3489675f8c84cc0236f11f200be384ed6c1a9aa1ce7a1.elf
NA93d0cc8492511c663f17544b3bf14eab8ccb492909536e79ef652921d809bb1aFileAssociated with Agenda ransomware
    
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-14-2024 08:17 AM

You can add the hashes to a file list as described here:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/objects-object-mgmt.html#ID-2243-0000090c

Note that we only see the file hashes at the firewall if they are transiting in an unencrypted (plain text) form or have been decrypted (i.e., via an SSL Decryption policy). So for 90%+ of Internet traffic (SSL/TLS-encrypted https) we never see the file hash at a perimeter firewall. Endpoint protection is the better place for this type of inspection and analysis.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top