Ransomware mitigation and protection with Symantec Endpoint Protection
Symantec Endpoint Protection
What is ransomware?
Ransomware is a category of malware that encrypts documents, which makes them unusable, and leaves the rest of the computer accessible. Ransomware attackers try to force their victims to pay a ransom through specifically noted payment methods after which they may or may not grant the victims access to their data.
Targeted ransomware is more complex than the original ransomware attacks and involves more than just the initial infection. Attackers have found more ways of extorting victim organizations using the following range of distribution methods:
- Phishing: Emails sent to employees disguised as work-related correspondence.
- Vulnerability exploitation: Exploiting vulnerable software running on public-facing servers.
- Secondary infections: Leveraging pre-existing botnets in order to gain a foothold on the victim’s network.
- Poorly secured services: Attacking organizations through poorly secured RDP services, taking advantage of leaked or weak credentials.
Protecting against ransomware with Symantec Endpoint Protection
Most of the features to protect against ransomware in Symantec Endpoint Protection, are enabled by default. For more information on which features protect your environment, see:
Best practices to mitigate ransomware
Hardening Your Environment Against Ransomware
In addition to enabling SEP protection, follow additional steps to avoid ransomware infection.
1. Protect your local environment
2. Protect your email system
3. Make backups
Regularly back up the files on both the clients and servers. Either back up the files when the computers are offline or use a system that networked computers and servers cannot write to. If you do not have dedicated backup software, you can also copy the important files to removable media. Then eject and unplug the removable media; do not leave the removable media plugged in.
Lock down mapped network drives by securing them with a password and access control restrictions. Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.
What should you do if you get ransomware?
There is no ransomware removal tool. No security product can decrypt files that ransomware encrypts. Instead, if your client computers do get infected with ransomware and your data is encrypted, follow these steps:
- Do not pay the ransom.If you pay the ransom:
- There is no guarantee that the attacker will supply a method to unlock your computer or decrypt your files.
- The attacker uses the ransom money to fund additional attacks against other users.
- Isolate the infected computer before the ransomware can attack network drives to which it has access.
- UseSymantec Endpoint Protection Manageror SES to update the virus definitions and scan the client computers.New definitions are likely to detect and remediate the ransomware.Symantec Endpoint Protection Managerautomatically downloads virus definitions to the client, as long as the client is managed and connected to the management server or cloud console.
- InSymantec Endpoint Protection Manager, clickClients, right-click the group, and clickRun a command on the group>Update Content and Scan.
- Running commands on client devicesIn Symantec Endpoint Security, run theScan Nowcommand. See:
- Reinstall using a clean installation.If you restore encrypted files from a backup, you can get your restored data but it's possible that other malware was installed during the course of the attack.
- Submit the malware to Symantec Security Response.If you can identify the malicious email or executable, submit it to Symantec Security Response. These samples enable Symantec to create new signatures and improve defenses against ransomware. See: