Ransomware mitigation and protection with
Symantec Endpoint Protection

What is ransomware?

Ransomware is a category of malware that encrypts documents, which makes them unusable, and leaves the rest of the computer accessible. Ransomware attackers try to force their victims to pay a ransom through specifically noted payment methods after which they may or may not grant the victims access to their data.
Targeted ransomware is more complex than the original ransomware attacks and involves more than just the initial infection. Attackers have found more ways of extorting victim organizations using the following range of distribution methods:
  • Phishing
    : Emails sent to employees disguised as work-related correspondence.
  • Malvertising
    : Compromising media websites in order to serve malicious ads containing a JavaScript-based framework known as SocGholish which masquerades as a software update.
  • Vulnerability exploitation
    : Exploiting vulnerable software running on public-facing servers.
  • Secondary infections
    : Leveraging pre-existing botnets in order to gain a foothold on the victim’s network.
  • Poorly secured services
    : Attacking organizations through poorly secured RDP services, taking advantage of leaked or weak credentials.

Protecting against ransomware with Symantec Endpoint Protection

Most of the features to protect against ransomware in Symantec Endpoint Protection, are enabled by default. For more information on which features protect your environment, see:

Best practices to mitigate ransomware

Hardening Your Environment Against Ransomware
In addition to enabling SEP protection, follow additional steps to avoid ransomware infection.
Steps to avoiding ransomware
1. Protect your local environment
  1. Ensure you have the latest version of PowerShell
    and that you have logging enabled.
  2. Restrict access to RDP services.
    Only allow RDP from specific known IP addresses, and ensure you are using multi-factor authentication. Use File Server Resource Manager (FSRM) to lock out the ability to write known ransomware extensions on file shares where user write access is required.
  3. Create a plan to consider notification of outside parties
    . In order to ensure correct notification of required organizations, such as the FBI or other law enforcement authorities/agencies, be sure to have a plan in place to verify.
  4. Create a “jump bag” with hard copies and archived soft copies of all critical administrative information
    . In order to protect against the compromise of the availability of this critical information, store it in a jump bag with hardware and software needed to troubleshoot problems. Storing this information on the network is not helpful when network files are encrypted. Implement proper audit and control of administrative account usage. You could also implement one-time credentials for administrative work to help prevent theft and usage of admin credentials.
  5. Create profiles of usage for admin tools
    . Many of these tools are used by attackers to move laterally undetected through a network. A user account that has a history of running as admin using PsInfo/PsExec on a small number of systems is probably fine, but a service account running PsInfo/PsExec on all systems is suspicious.
2. Protect your email system
  1. Enable two-factor authentication (2FA) to prevent compromise of credentials during phishing attacks.
  2. Harden security architecture around email systems
    to minimize the amount of spam that reaches end-user inboxes and ensure you are following best practices for your email system, including the use of SPF and other defensive measures against phishing attacks.
3. Make backups
Regularly back up the files on both the clients and servers. Either back up the files when the computers are offline or use a system that networked computers and servers cannot write to. If you do not have dedicated backup software, you can also copy the important files to removable media. Then eject and unplug the removable media; do not leave the removable media plugged in.
  1. Implement offsite storage of backup copies
    . Arrange for offsite storage of at least four weeks of weekly full and daily incremental backups.
  2. Implement offline backups that are onsite
    . Make sure you have backups that are not connected to the network to prevent them from being encrypted by ransomware. Removal is best done with the system off the networks to prevent any potential spread of the threat.
  3. Verify and test your server-level backup solution.
    This should already be part of your disaster recovery process.
  4. Secure the file-level permissions for backups and backup databases.
    Don’t let your backups get encrypted.
  5. Test restore capability.
    Ensure restore capabilities support the needs of the business.
  Lock down mapped network drives by securing them with a password and access control restrictions. Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.

What should you do if you get ransomware?

There is no ransomware removal tool. No security product can decrypt files that ransomware encrypts. Instead, if your client computers do get infected with ransomware and your data is encrypted, follow these steps:
  1. Do not pay the ransom.
    If you pay the ransom:
    • There is no guarantee that the attacker will supply a method to unlock your computer or decrypt your files.
    • The attacker uses the ransom money to fund additional attacks against other users.
  2. Isolate the infected computer before the ransomware can attack network drives to which it has access.
  3. Use
    Symantec Endpoint Protection Manager
    or SES to update the virus definitions and scan the client computers.
    New definitions are likely to detect and remediate the ransomware.
    Symantec Endpoint Protection Manager
    automatically downloads virus definitions to the client, as long as the client is managed and connected to the management server or cloud console.
    • In
      Symantec Endpoint Protection Manager
      , click
      , right-click the group, and click
      Run a command on the group
      Update Content and Scan
    • In Symantec Endpoint Security, run the
      Scan Now
      command. See:
      Running commands on client devices
  4. Reinstall using a clean installation.
    If you restore encrypted files from a backup, you can get your restored data but it's possible that other malware was installed during the course of the attack.
  5. Submit the malware to Symantec Security Response.
    If you can identify the malicious email or executable, submit it to Symantec Security Response. These samples enable Symantec to create new signatures and improve defenses against ransomware. See: