Views:

Prevention Recommendations

  1. Make sure all of the machines have WFBS agent installed, have updated Agent and pattern version.

  2. Follow the best configuration practices in the following KB articles:

  3. Change the scan settings of Real-Time Scan and Scheduled Scan from Active Action to Customized Actions.

    For Real Time Scan

    1. Go to Devices.
    2. Select a group.
    3. Click Configure Policy. The Configure Policy: <group name> screen appears.
    4. Click Antivirus/Anti-spyware.
    5. Go to the Actions tab, under For Malware Detections, tick the Set action of Probable malware and set to “Quarantine”.

    For Scheduled Scan

    1. Navigate to Scans > Scheduled Scan.
    2. Under the Settings tab, select a group.
    3. Go to the Actions tab, under For Malware Detections, tick the Set action of Probable malware and set to “Quarantine”.

    1. Go to the Configure Policy screen by performing one of the following:

      • Classic Mode: Go to SECURITY AGENTS and select a group. Click Menu icon (three vertical dots) > Configure Policy.
      • Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
    2. Click the Windows icon.
    3. Go to Scan Settings then under Real-Time Scan Scheduled Scan, select Configure Settings.
    4. Go to the Actions tab, under Virus/Malware, change from Active Action to Customized Action.
    5. Make sure that the action specified for “Probable Malware” is set to “Quarantine”.
    6. It is advisable to apply the same settings for both Manual and Scheduled Scan.

  4. Provision Cloud App Security (TMCAS) to Protect Exchange Online, SharePoint, and OneDrive with the Best Practice, if TMCAS is available.

    For detailed information, refer to the TMCAS BPG.

  5. Network Best Practices.

    • Back up data regularly, keep offline backups, and verify integrity of backup process. Regularly back up critical data to minimize potential damage. A good strategy is keeping critical data in a secure location that would allow the organization to quickly get back on its feet. Practice the 3-2-1 rule: create three backup copies on two different media with one copy stored offsite.

      Refer to the Trend Micro article: World Backup Day: The 3-2-1 Rule.
    • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
    • Use two-factor authentication and strong passwords.
    • Maintain only the most up-to-date version of PowerShell and uninstall older versions. Disable if not needed on certain endpoints.
    • Adhere to the principle of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.
    • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

  6. Email Best Practices.

    • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.(SPF and DKIM).
    • Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails.
    • Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
 
For more information about the ransomware, refer to the KB article: SECURITY ALERT: October 2020 - Imminent and Increased Cybercrime Threat to US Hospitals and Healthcare Providers.
 
Keywords: RYUK,Ransomware,Trojan,Trickbot,Emotet,MalSpam,Exploits,Ransomware AttackRYUK ransomware,Ransom.Win32.RYUK,Behavior Monitoring,Predictive Machine Learning,Troj.Win32.TRX.XXPE50FFF037