Symantec Endpoint Protection Ransomware Protection

What is ransomware?

Ransomware is a type of malware that encrypts documents and makes them inaccessible. Ransomware attackers attempt to make their victims pay the ransom using specific payment methods. After that, they may grant access to their data. The following distribution methods are used by attackers to extort victims organizations:

  • Phishing – Emails to employees disguised in work-related correspondence.
  • Malvertising: To serve malicious ads that contain a JavaScript-based framework called SocGholish, which masquerades to be a software upgrade, we compromise media websites.
  • Exploiting Vulnerability: Exploiting vulnerability software that runs on public-facing servers.
  • Secondary infected: Using pre-existing botnets to gain access to the victim’s network.
  • Services that are not adequately secured: Attacking companies through RDP services that aren’t properly secured, using weak credentials or leaked credentials.

Symantec Endpoint Protection protects against ransomware

Symantec Endpoint Protection has many features that protect against ransomware. Most of these features are available by default. See: Symantec Endpoint Protection provides Ransomware Protection Symantec Endpoint Protection protects against ransomware

Ransomware prevention tips

Protecting Your Environment from Ransomware

Step Action
1. Protect your local environment
  1. Make sure you are running the most recent version of PowerShell, and you have enabled logging.
  2. Limit access to RDP services. Use multi-factor authentication and only allow RDP from known IP addresses. File Server Resource Manager is used to block the ability to create ransomware extensions to file shares that require user write access.
  3. Make a plan for notification of outside parties. To ensure correct notification of required organizations, such as the FBI or other law enforcement authorities/agencies, be sure to have a plan in place to verify.
  4. Make a “jump bag” with hard copies, and archived soft copy of all important administrative information. To protect your critical information from being compromised, keep it in a bag that contains hardware and software necessary to solve problems. This information should not be stored on the network, as encrypted network files make it difficult to access. Audit and control of administrative account usage should be done. To prevent theft or misuse of admin credentials, you could also use one-time credentials to perform administrative work.
  5. Create user profiles for admin tools. These tools can be used by attackers to travel laterally unnoticed through a network. An account with a history of running PsInfo/PsExec as an administrator on a few systems is likely to be fine. However, a service account running PsInfo/PsExec across all systems is suspect.
2. 2. Protect your email system
  1. To prevent credentials from being compromised during phishing attacks, enable two-factor authentication (2FA).
  2. Develop a security architecture for email systems to reduce spam reaching end-users inboxes. Also, ensure that you are following the best practices for email systems, including SPF and other defenses against phishing attacks.
3. Backups are essential Back up the files on clients and servers regularly. You can either back up files offline, or you can use a system that servers and computers on the network cannot access. You can also copy important files to removable media if you don’t have backup software. Next, remove and unplug removable media. Do not leave removable media plugged in.

  1. Set up offsite backup storage. Arrange offsite storage for at least four weeks’ worth of daily full and incremental backups.
  2. Create offline backups of. To prevent ransomware from encrypting your backups, make sure they are not connected to any network. To prevent the spread of ransomware, it is best to turn off all networks.
  3. Test and verify your server-level backup system.
  4. Encrypt your backups by securing the file-level permissions.
  5. Check restore capability. Make sure restore capabilities meet the needs of your business.

Secure mapped network drives with a password and access restrictions to lock them down. If you don’t need write access, use read-only access to files on network drives. Limiting the user rights limits the files that can be encrypted by threats.

What can you do if ransomware is sent to you?

Ransomware removal tools are not available. Ransomware encryption is not possible to decrypt. If your clients’ computers are infected by ransomware, and your data is encrypted as a result, these are the steps to take:

  1. Don’t pay the ransom.You must pay the ransom
  2. Before ransomware attacks network drives, it is important to isolate the infected computer.
  3. Symantec Endpoint Protection Manager (or SES) can be used to update virus definitions and scan client computers. The ransomware can be detected and fixed by new definitions. Symantec Endpoint Protection Manager or SES automatically downloads the virus definitions to clients as long as they are connected to the management server.
    • Click Clients in Symantec Endpoint Security Manager. Right-click the group and click the Run command on it > Update Content and Scanning.
    • Run the Symantec Endpoint Security Scan Now command. Running commands for client devices
  4. Reinstall with a clean installationYou can restore encrypted files from a backup to get your data back, but it is possible that malware was also installed during the attack.
  5. Send the malware to Symantec Security Response.Symantec Security Response can be contacted if you can identify the executable or malicious email. These samples allow Symantec Security Response to identify ransomware and create new signatures. Check out:Symantec Insider Tip – Successful Submissions