Ransomware removal and protection with Symantec Endpoint Protection

book

Article ID: 178834

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

Petya Ransomware

WannaCry Ransomware

What is ransomware?

Ransomware is a category of malware that sabotages documents and makes then unusable, but the computer user can still access the computer. Ransomware attackers force their victims to pay the ransom through specifically noted payment methods after which they may grant the victims access to their data. Unfortunately, ransomware decryption is not possible using removal tools.

Ransomlockers are a related type of malware that prevents users from accessing their devices or data by locking their computer. The victim receives a message that may appear to be from local law enforcement, demanding a "fine" to let victims avoid arrest and to unlock their computers.

How to remove ransomware

CryptoLocker is a ransomware variant where malware often encrypts a user's files and often deletes the original copy. The attacker requests a ransom for the files to be unencrypted. Not only are files on the local computer damaged, but also the files on any shared or attached network drives to which the computer has write access.

Organizations must respond to increasing threat of ransomware

Don't Pay That Ransom: Fighting Ransomware In A New Threat Landscape

Symantec Threat Landscape Round Up: Ransomware a US$34 million-a-year business

5 steps for preventing ransomware

Hardening Your Environment Against Ransomware

To avoid ransomware infection, follow these steps:

  1. Back up your computers and servers regularly.

    Regularly back up the files on both the client computers and servers. Either back up the files when the computers are offline or use a system that networked computers and servers cannot write to. If you do not have dedicated backup software, you can also copy the important files to removable media. Then eject and unplug the removable media; do not leave the removable media plugged in.

  2. Lock down mapped network drives by securing them with a password and access control restrictions.

    Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.

  3. Deploy and enable the following protections from Symantec Endpoint Protection Manager:

    • IPS

      IPS blocks some threats that traditional virus definitions alone cannot stop. IPS is the best defense against drive-by downloads, which occurs when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.

      See Enabling network intrusion prevention or browser intrusion prevention.

    • SONAR

      SONAR's behavioral-based protection is another crucial defense against malware. SONAR prevents the double executable file names of ransomware variants like CryptoLocker from running.

      In a Virus and Spyware Protection policy, click SONAR > Enable SONAR.

    • Download Insight

      Modify Download Insight in a Virus and Spyware - High Security policy to quarantine the files that have not yet been proven to be safe by the Symantec customer base.

      See Preventing ransomware attacks with Download Insight.

    Recovering Ransomlocked Files Using Built-In Windows Tools

  4. Download the latest patches for web application frameworks, web browsers, and web browser plug-ins.

    Attacking exploit kits cannot deliver drive-by downloads unless there is an old version of a plug-in to exploit, such as Flash. Historically, attacks were delivered through phishing and web browsers. Recently, more attacks are delivered through vulnerable web applications, such as JBOSS, WordPress, and Joomla.

  5. Use an email security product to handle email safely.

    CryptoLocker is often spread through spam emails that contain malicious attachments. Scanning inbound emails for threats with a dedicated mail security product or service is critical to keep ransomware and other malware out of your organization. For important advice and recommendations, see:

    Support Perspective: W97M.Downloader Battle Plan

How to remove ransomware

There is no ransomware removal tool or CryptoLocker removal tool. Instead, if your client computers do get infected with ransomware and your data is encrypted, follow these steps:

  1. Do not pay the ransom.

    If you pay the ransom:

    • There is no guarantee that the attacker will supply a method to unlock your computer or decrypt your files.

    • The attacker uses the ransom money to fund additional attacks against other users.

  2. Isolate the infected computer before the ransomware can attack network drives to which it has access.

  3. Use Symantec Endpoint Protection Manager to update the virus definitions and scan the client computers.

    New definitions are likely to detect and remediate the ransomware. Symantec Endpoint Protection Manager automatically downloads virus definitions to the client, as long as the client is managed and connected to the Symantec Endpoint Protection Manager.

    In Symantec Endpoint Protection Manager, click Clients, right-click the group, and click Run a command on the group > Update Content and Scan.

  4. Restore damaged files from a known good backup.

    As with other security products, Symantec Endpoint Protection cannot decrypt the files that ransomlockers have sabotaged.

  5. Submit the malware to Symantec Security Response.

    If you can identify the malicious email or executable, submit it to Symantec Security Response. These samples enable Symantec to create new signatures and improve defenses against ransomware.

    Symantec Insider Tip: Successful Submissions!

For more information