Symantec Endpoint Protection - Ransomware

Symantec Endpoint Protection - Ransomware

What is Ransomware ?

Ransomware is a category of malware that sabotages documents and makes then unusable, but the computer user can still access the computer. Ransomware attackers force their victims to pay the ransom through specifically noted payment methods after which they may grant the victims access to their data. Unfortunately, ransomware decryption is not possible using removal tools.

CryptoLocker and WannaCry is a ransomware variant where malware often encrypts a user's files and often s the original copy. The attacker requests a ransom for the files to be unencrypted. Not only are files on the local computer damaged, but also the files on any shared or attached network drives to which the computer has write access.

What are best practices for protecting against ransomware ?

1. Back up your computers and servers regularly.

Regularly back up the files on both the client computers and servers. Either back up the files when the computers are offline or use a system that networked computers and servers cannot write to. If you do not have dedicated backup software, you can also copy the important files to removable media. Then eject and unplug the removable media; do not leave the removable media plugged in.


2. Lock down mapped network drives by securing them with a password and access control restrictions.

Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.


3. Deploy and enable the following protections from Symantec Endpoint Protection Manager.



IPS blocks some threats that traditional virus definitions alone cannot stop. IPS is the best defense against drive-by downloads, which occurs when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.



SONAR's behavioral-based protection is another crucial defense against malware. SONAR prevents the double executable file names of ransomware variants like CryptoLocker from running.


· Download Insight

Modify Download Insight in a Virus and Spyware - High Security policy to quarantine the files that have not yet been proven to be safe by the Symantec customer base.


4. Download the latest patches for web application frameworks, web browsers, and web browser plug-ins.

Attacking exploit kits cannot deliver drive-by downloads unless there is an old version of a plug-in to exploit, such as Flash. Historically, attacks were delivered through phishing and web browsers. Recently, more attacks are delivered through vulnerable web applications, such as JBOSS, WordPress, and Joomla.


5. Use an email security product to handle email safely.

CryptoLocker is often spread through spam emails that contain malicious attachments. Scanning inbound emails for threats with a dedicated mail security product or service is critical to keep ransomware and other malware out of your organization.


Symantec Endpoint Protection 14.0 Against to Latest Ransomware WannaCry

Symantec Endpoint Protection (SEP) and Norton have proactively blocked any attempt to exploit the vulnerabilities used by WannaCry, meaning customers were fully protected before WannaCry first appeared. SEP14 Advanced Machine Learning proactively blocked all WannaCry infections on day zero, without any s.

The Blue Coat Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.

Symantec and Norton customers are automatically protected against WannaCry using a combination of technologies. Proactive protection was provided by:

•   IPS network-based protection

•   SONAR behavior detection technology

•   Advanced Machine Learning

•   Intelligent Threat Cloud

Customers should have these technologies enabled for full proactive protection. SEP customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by Advanced Machine Learning signatures.

Network-based protection

Symantec has the following IPS protection in place to block attempts to exploit the MS17-010 vulnerability:

OS Attack: Microsoft SMB MS17-010 Disclosure Attempt (released May 2, 2017)

Attack: Shellcode Download Activity (released April 24, 2017)

SONAR behavior detection technology

• SONAR.AM.E.!g18

• SONAR.AM.E!g11

• SONAR.Cryptlk!g1

• SONAR.Cryptlocker!g59

• SONAR.Cryptlocker!g60

• SONAR.Cryptlocker!g80

• SONAR.Heuristic.159

• SONAR.Heur.Dropper

• SONAR.Heur.RGC!g151

• SONAR.Heur.RGC.CM!g13

• SONAR.Heuristic.158

• SONAR.Heuristic.161

• SONAR.SuspDataRun

• SONAR.SuspLaunch!g11

• SONAR.SuspLaunch!gen4

• SONAR.TCP!gen1

Advanced Machine Learning

• Heur.AdvML.A

• Heur.AdvML.B

• Heur.AdvML.D


For expanded protection and identification purposes, the following Antivirus signatures have been d:

• Ransom.Wannacry

• Ransom.CryptXXX

• Trojan.Gen.8!Cloud

• Trojan.Gen.2

• Ransom.Wannacry!gen1

• Ransom.Wannacry!gen2

• Ransom.Wannacry!gen3

Customers should run Live and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:

• 20170512.009

The following IPS signature also blocks activity related to Ransom.Wannacry:

• System Infected: Ransom.Ransom32 Activity

Organizations should also ensure that they have the latest Windows security s installed, in particular MS17-010 to prevent spreading.

End-User Awareness

• New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.

• Keep your operating system and other software d. Software s will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.

• Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.

• Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately the email.

• Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that backups are appropriately protected or stored off-line so that attackers can’t them.

• Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to roll back to the unencrypted form.