Deep Security protection modules also contain ransomware-specific defense capabilities, which are listed below:
Intrusion Prevention (IPS)
Deep Security detects and prevents ransomware command and control (C&C) activity over the network. Instead of focusing on domains and IP addresses, these rules scan network traffic for known communication techniques used by ransomware.
Network File Share Protection
Trend Micro Deep Security provides the following Intrusion Prevention rules which specifically address the ransomware technique of encrypting files on mounted shares (Windows or Linux – Samba).
- Rule name: 1007596 - Identified Suspicious File Extension Rename Activity Over Network Share
This rule provides visibility into ransomware activity but in most cases does not prevent ransomware encryption activity. This rules monitors for known techniques that ransomware uses in changing file extensions (e.g. .zzz, .encryptedRSA, .crypt etc.). There’s a check for ~50 file extensions in the rule. The rule also provides an option to exclude and include certain file extensions to maximize the benefits of this rule The default settings for the rule are:- Detect-only
- Recommended on windows computers
- Rule Name: 1007598 - Identified Suspicious Rename Activity Over Network Share
This rule can be used to protect a server from clients infected with ransomware. This rule monitors and limits file change activity over the network. More specifically, this rule prevents the number of file renames in a specific period of time (N renames in T1 seconds results in limiting any rename activity for T2 seconds from the malicious source IP Address).- Detect-only
- Not recommended by default. The rule must be manually assigned.
- N=0, T1=0, T2=0 (no action by default)
- Rule Name: 1008679 - Identified BADRABBIT Ransomware Propagation Over SMB
This DPI rule blocks lateral movement of BADRABBIT Ransomware over SMB