Best practices in preventing Ransomware infection using OfficeScan and Worry-Free Business Security/Services (WFBS/WFBS-SVC)

Support
Solution ID Last Updated
1099423 Date : 2014/10/28 Time:4:04 AM , (PST)


Product/Version Platform
OfficeScan - 10.0, 10.5, 10.6;11.0;Worry-Free Business Security Services - 5.7;Worry-Free Business Security Services for Dell - 5.6;Worry-Free Business Security Standard/Advanced - 8.0, Worry-Free Business Security Standard/Advanced - 9.0;
Windows - 2003 Enterprise, 2003 Enterprise 64-bit, 2003 Standard, 2003 Standard 64-bit, 2008 Enterprise, 2008 Standard, 7 32-bit, 7 64-bit, 8 32-bit, 8 64-bit, Vista 32-bit, Vista 64-bit, XP Professional

Problem Description

What is Ransomware?
Ransomware refers to a class of malware that holds a computer "hostage" until the user pays a particular amount or abides by specific instructions. The ransomware then restricts access to the system when executed. Some cases of ransomware also repeatedly show messages that force users into paying the “ransom” or performing the desired action. There are even ransomware variants that encrypt files found on the system's hard drive. Users are then forced to pay up in order to decrypt the important or critical files that were altered by the ransomware due to file encryption.
Cybercriminals behind this threat made use of online payment methods such as Ukash, PaySafeCard, MoneyPAK or Bitcoin as a way for users to pay the ransom.
More information can be found here:
This article contains recommended practices in preventing Ransomware-types of malware from infecting machines on your network.
This malware is also known as:
  • Trojan:Win32/Crilock.A
  • Trojan-Ransom.Win32.Blocker.cgmz
  • TROJ_RANSOM
  • TROJ_CRILOCK
  • Cryptolocker
  • Trojan-Ransom.Win32.Foreign.acc
  • Trojan.Ransom.FH
  • Trojan:Win32/Ransom.GT

Solution

[ Expand All ]

 

OfficeScan

Prevention
  1. Implementing OSCE’s “Best Practice” configuration against malware threats is very important in preventing this malware from coming into the machine/network. View the guide here.
    Highlights:
    1. SmartScan has a larger coverage and is updated frequently. Newer samples of Ransomware are processed and pushed to cloud updates a lot faster compared to the traditional scan method.
    2. Enable Web Reputation Services (WRS) and make sure to implement this for both INTERNAL and EXTERNAL networks. This would block infection vectors, as well as communication vectors.
    3. Enable Behavior Monitoring as it proactively detects threats through behavior analysis. It also has a feature that will prompt users before executing a “newly encountered” file -- which is a very common characteristic of Ransomware malwares.
      Note: The “newly encountered” prompt file feature is only available on OSCE 10.6 with Service Pack 3
    4. Enable SmartFeedback. The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threat harvesting, analysis and resolving. It not only helps increase the detection rate but also provides a quick real-world scenario. It also benefits customers to help ensure they get the latest protection in the shortest possible time.
  2. Make sure that you have a mail scanning solution implemented on your network. Several variants of the Ransomware malware were detected to have originated from spam emails -- as a malicious attachment.
Cleanup/Sample Collection
In case the OSCE product wasn’t able to remove the Ransomware infection on a machine, use a separate tool called the “AntiRansomware Tool”. Instructions on how to use it can be found here.
You may also use the ATTK Tool to clean and/or collect malicious samples so that you can submit it to Technical Support for further checking. The ATTK Tool can be deployed via the OSCE Toolbox for ease and convenience.

 

WFBS/WFBS-SVC

Prevention
  1. Implementing WFBS Best Practice configuration against malware threats is very important in preventing this malware from coming into the machine/network.
    Highlights:
    • SmartScan has a larger coverage and is updated very frequently. Newer samples of Ransomware are processed and pushed to cloud updates a lot faster compared to the traditional scan method.
    • Enable the scanning of POP3 messages to prevent malicious attachments from entering and eventually infecting the machine.
    • Enable Web Reputation Services (WRS) and make sure you implement this for both In-Office and Out of Office networks. This would block infection vectors, as well as communication vectors.
    • Enable Behavior Monitoring as it proactively detects threats through behavior analysis -- which means there will be an extra layer of protection on the machine.
    • Enable SmartFeedback. The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threat harvesting, analysis and resolving. It not only helps increase the detection rate but also provides a quick real-world scenario. It also benefits customers to help ensure they get the latest protection in the shortest possible time.
  2. Make sure that you have a mail scanning solution implemented on your network (IMSVA, SMEX, HES, etc.). Several variants of the Ransomware malware were detected to have originated from spam emails as a malicious attachment.
Cleanup and sample collection
If in case WFBS wasn’t able to remove the Ransomware infection on a machine, you can use a separate tool called the AntiRansomware Tool.
You may also use the ATTK Tool to clean and/or collect malicious samples so that you can submit it to Trend Micro Technical Support for further checking.


Rate this Solution
Did this article help you?

Please provide your comments to help us improve this solution.

 
  *This form is an automated system. General questions, technical, sales and product-related issues submitted through this form will not be answered.
 
 

Connect with us on