Protection Against Ransomware - Symantec

Internet Security Threat Report VOLUME 21, APRIL 2016

Encryption is now used as a weapon, holding companies’ and individuals’ critical data hostage

Pay R a n s o m

B ac k

Crypto- Ransomware as Percentage of All Ransomware Misleading Apps

FakeAV

P u r c h as e

Although the chart indicates a steady decline in traditional ransomware in 2015, crypto-ransomware now accounts for the majority of all ransomware.

Crypto-Ransomware

Lockers

100%

0%

’05

’06

’07

’08

’09

Growing Dominance of Crypto-Ransomware All-Ransomware

’10

’11

’12

’13

’14

’15

Percentage of new families of misleading apps, fake security software (Fake AV), locker-ransomware, and crypto-ransomware

Crypto-Ransomware

Crypto-Ransomware as % of All Ransomware

100%

Thousands

600 500 400

50%

300 200 100 2015

JAN

FEB

MAR

APR

MAY

JUN

JUL

AUG

SEP

OCT

NOV

DEC

0%

Protection Against Ransomware Steps for preventing ransomware

Back up your computers and servers regularly. Regularly back up files on both the client computers and servers. Either back up the files when the computers are offline or use a system that networked computers and servers can’t write to.

Lock down mapped network drives.

If you don't have dedicated backup software, you can copy important files to a removable media. Be sure to eject and unplug the removable media when you're done.

Secure them with a password and access control restrictions. Use read-only access for files on network drives, unless it’s absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.

Deploy and enable all Symantec Endpoint Protection technologies. IPS blocks some threats that traditional virus definitions alone cannot stop. SONAR provides real-time protection, using heuristics and reputation data, to detect emerging and unknown threats.

Download the latest patches and plug-ins.

Insight quarantines questionable files that haven’t been proven safe yet by the Symantec customer base.

Attacking exploit kits can’t exploit vulnerabilities that have been patched. Historically, attacks were delivered through phishing and web browsers.

Use an email security product to handle email safely.

In the future, it’s likely we’ll see more attacks delivered through vulnerable web applications, such as JBOSS, WordPress, and Joomla.

Ransomware threats are often spread through spam emails that contain malicious attachments. Scanning inbound emails for threats with a dedicated mail security product or service is critical to keep ransomware and other malware out of your organization. For more information, see: Symantec.com/connect/articles/supportperspective-w97mdownloader-battle-plan

How do I remove ransomware? In almost all cases, ransomware encryption can’t be broken. If your client computers get infected with ransomware and your data is encrypted, follow the steps below.

Don’t pay the ransom. If you pay the ransom: ● There’s no guarantee that the attacker will supply a method to unlock your computer or decrypt your files.

Isolate the infected computer.

● The attacker will likely use your ransom money to fund attacks against other users.

Do this before the ransomware can attack accessible network drives.

Restore damaged files from a known good backup. As with other security products, Symantec Endpoint Protection cannot decrypt the files that ransomlockers have sabotaged.

Submit the malware to Security Response. If you can identify the malicious email or executable, submit it to Symantec Security Response: Symantec.com/security_response

Use Symantec Endpoint Protection (SEP) Manager

These samples enable Symantec to create new signatures and improve defenses against ransomware.

New definitions are likely to detect and remediate the ransomlockers. Symantec Endpoint Protection Manager automatically downloads virus definitions to the client, as long as the client is managed and connected to the Symantec Endpoint Protection Manager.

DOWNLOAD THE FULL REPORT