Ransomware is a category of malware that sabotages documents and makes then unusable, but the computer user can still access the computer. Ransomware attackers force their victims to pay the ransom through specifically noted payment methods after which they may grant the victims access to their data. Unfortunately, ransomware decryption is not possible using removal tools.
Ransomlockers are a related type of malware that prevents users from accessing their devices or data by locking their computer. The victim receives a message that may appear to be from local law enforcement, demanding a "fine" to let victims avoid arrest and to unlock their computers.
CryptoLocker is a ransomware variant where malware often encrypts a user's files and often deletes the original copy. The attacker requests a ransom for the files to be unencrypted. Not only are files on the local computer damaged, but also the files on any shared or attached network drives to which the computer has write access.
To avoid ransomware infection, follow these steps:
Back up your computers and servers regularly.
Regularly back up the files on both the client computers and servers. Either back up the files when the computers are offline or use a system that networked computers and servers cannot write to. If you do not have dedicated backup software, you can also copy the important files to removable media. Then eject and unplug the removable media; do not leave the removable media plugged in.
Lock down mapped network drives by securing them with a password and access control restrictions.
Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.
Deploy and enable the following protections from Symantec Endpoint Protection Manager:
IPS blocks some threats that traditional virus definitions alone cannot stop. IPS is the best defense against drive-by downloads, which occurs when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.
SONAR's behavioral-based protection is another crucial defense against malware. SONAR prevents the double executable file names of ransomware variants like CryptoLocker from running.
In a Virus and Spyware Protection policy, click SONAR > Enable SONAR.
Modify Download Insight in a Virus and Spyware - High Security policy to quarantine the files that have not yet been proven to be safe by the Symantec customer base.
Download the latest patches for web application frameworks, web browsers, and web browser plug-ins.
Attacking exploit kits cannot deliver drive-by downloads unless there is an old version of a plug-in to exploit, such as Flash. Historically, attacks were delivered through phishing and web browsers. Recently, more attacks are delivered through vulnerable web applications, such as JBOSS, WordPress, and Joomla.
Use an email security product to handle email safely.
CryptoLocker is often spread through spam emails that contain malicious attachments. Scanning inbound emails for threats with a dedicated mail security product or service is critical to keep ransomware and other malware out of your organization. For important advice and recommendations, see:
There is no ransomware removal tool or CryptoLocker removal tool. Instead, if your client computers do get infected with ransomware and your data is encrypted, follow these steps:
Do not pay the ransom.
If you pay the ransom:
Isolate the infected computer before the ransomware can attack network drives to which it has access.
Use Symantec Endpoint Protection Manager to update the virus definitions and scan the client computers.
New definitions are likely to detect and remediate the ransomware. Symantec Endpoint Protection Manager automatically downloads virus definitions to the client, as long as the client is managed and connected to the Symantec Endpoint Protection Manager.
In Symantec Endpoint Protection Manager, click Clients, right-click the group, and click Run a command on the group > Update Content and Scan.
Restore damaged files from a known good backup.
As with other security products, Symantec Endpoint Protection cannot decrypt the files that ransomlockers have sabotaged.
Submit the malware to Symantec Security Response.
If you can identify the malicious email or executable, submit it to Symantec Security Response. These samples enable Symantec to create new signatures and improve defenses against ransomware.
For major ransomware incidents, engage the Symantec Global Incident Response team. They can help you validate that you have been attacked and help you to decide what to do next. See:
For help with an incident now:
Incident Response Hotline: (855) 378-0073