Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products

    • Updated:
    • 8 Oct 2019
    • Product/Version:
    • Cloud App Security
    • Endpoint Application Control 1.0
    • Hosted Email Security
    • Interscan Messaging Security Virtual Appliance
    • OfficeScan 11.0
    • OfficeScan 11.0
    • ScanMail for Exchange
    • Scanmail for IBM Domino
    • Platform:
    • N/A N/A
Summary

Trend Micro has seen a dramatic rise of ransomware-related issues, especially the sophisticated Crypto-Ransomware. The issue concerns both home and commercial users. Like many other cyber threats, ransomware has become more complex and advanced over time. Thus, the prevention and protection become more challenging.

Ransomware can enter an organization through many vectors, such as email spam, phishing attacks, or malicious web downloads. For highest level of protection, organizations are encouraged to deploy multiple layers of protection on endpoint, gateway, and mail servers.

The image below shows a typical ransomware infection chain. For more details about infection chain, refer to this article: Mitigating the TROJ_CRYPWALL (also known as Cryptowall) v3 using Trend Micro products.

CRYPWALL infection chain

This article discusses Trend Micro's recommended configuration on various products and important software updates to better protect against and combat ransomware.

Consumer (Home) customers may visit the following site: Consumer (Home) Customers' Guide on Ransomware: Introduction, Prevention and Trend Micro Security Solutions

Details
Public

Frequently Asked Questions (FAQs) about Ransomware

Trend Micro has created a Computer Based Training (CBT) module for customers to help answer the FAQs about Ransomware. Please click here to view the module.

Trend Micro Solutions and Best Practice Configuration

Trend Micro has several solutions leveraging the Trend Micro™ Smart Protection Network™. It helps administrators block ransomware threats from possible points of infection. Get the latest versions of these solutions, including service packs and critical patches, from the Trend Micro Download Center.

OfficeScan and Worry-Free Business Security

Both of these Trend Micro’s corporate endpoint protection products contain key technologies that are highly recommended to be enabled to protect against ransomware: Web Reputation Services and Behavior Monitoring. To enable and configure these options, follow these articles:

For more detailed configuration steps, refer to these articles:

Endpoint Application Control

Administrators who wish to have an additional layer of protection on endpoints, such as prevention of unwanted and unknown applications (like ransomware and 0-day malware) from executing, may deploy policies to block untrusted EXE files.

Customers who have purchased one of Trend Micro Smart Protection Suites may already have the license for this protection, but have not implemented it yet. To install and configure policies, refer to the following KB:

TMEAC: Best Practice Configuration against Ransomware and other Malware Threats with Endpoint Application Control (TMEAC) 2.0 Patch 1

For more detailed configuration steps, refer to the document: Endpoint Application Control Guide.

Deep Security

Learn about ways Deep Security can protect servers from the effects of ransomware by following the article, Ransomware Detection and Prevention in Deep Security.

You can also download and apply the following critical patches to add new widgets for ransomware monitoring:

  • Deep Security Manager 9.6 Service Pack (SP) 1 Patch 1 Critical Patch 1 (9.6.4000)
  • Deep Security Manager 9.5 Service Pack (SP) 1 Patch 3 Critical Patch 1 (9.5.7200)

For more details, check this article: Adding new widgets for ransomware monitoring in Deep Security Manager (DSM).

The following articles will guide you through further enhancing protection on your Messaging and Gateway products:

References: Protection Modules Introduction

Since email is a popular vector for attackers to deliver ransomware, effective blocking of certain non-essential file types such as Executables or Scripts is also recommended. Administrators may block these file types by true file type (recommended) or by specific extension names. Customers can use the following messaging products to block email attachments. To configure these products, refer to this article on Filtering and blocking email attachments using Trend Micro's Messaging products.

  • ScanMail for Microsoft Exchange
  • Hosted Email Security
  • InterScan Messaging Security

Macro virus is one of the most common types of file infectors in Microsoft Office documents and compressed files. For enhanced security, configure the macro file scanning option using Trend Micro products.

Messaging Product Users are recommend to enable Web Reputation Service and New-Born URLs handling function in order to effectively catch new wave of malicious SPAM campaign. Check out the list of messaging products with the New-Born URLs handling function.

Email Reputation Services users are strongly encouraged to enable the Quick Information List (QIL) filtering level for IP reputation and set the level to at least Level 2.

The following articles will guide you through further enhancing protection on your Network Defense products:

Control Manager (TMCM) offers Ransomware monitoring capabilities, providing information about the detection statistics and affected users. The following article will help you understand the information provided by TMCM: Checking the information displayed in the Ransomware Prevention sub-page of the TMCM dashboard.

The following article will guide you through further enhancing protection on your mobile products including Mobile Security for Android and Mobile Security for Enterprise:

TMMS: Mobile Ransomware: Prevention and Best practice

Prevention

Victims who have been affected by ransomware can generally attest to the pain and complexity of trying to recover after such an attack. Increased user awareness and vigilance can save a potential victim time and money in the unfortunate event of an attack. Preventing the attack in the first place is still the most effective way of dealing with this threat.

The following is a list of some preventative measures that users and administrators can employ as best practices:

  • Regular back ups of critical data in case of any sort of loss (not just ransomware).
  • Timely application of software patches from OS and third-party vendors.
  • Exercise good email and website safety practices – downloading attachments, clicking URLs or executing programs only from trusted sources.
  • Encourage users to alert IT Security team of potentially suspicious emails and files.
  • Ensure your security products are updated regularly and perform periodic scans.
  • Implement application whitelisting on your endpoints to block all unknown and unwanted applications.
  • Regular user education around the dangers and signals of social engineering.

Trend Micro continues to devote countless hours of research into new ways of combating these threats and to update our users with the latest information and recommendations through our Security Intelligence Blog and Knowledge Base.

In addition, your authorized Trend Micro support representative is available for any questions regarding the configuration options mentioned in this advisory to combat ransomware.

Available Tools

Trend Micro has developed a tool to decrypt files that were encrypted by certain Ransomware families. You can refer to Downloading and Using the Trend Micro Ransomware File Decryptor for instructions in using the Decryption Tool.

Trend Micro™ Ransomware Screen Unlocker Tool is designed to eliminate Lock Screen ransomware from your infected PC in two scenarios. Refer to this KB article for details: Downloading and using Trend Micro™ Ransomware Screen Unlocker Tool.

  1. Download the Anti-Threat Toolkit by clicking your operating system version below:
  2. Read the Trend Micro License Agreement. Once you click I Accept, the download will start.

    License Agreement

  3. Choose the preferred directory where the tool will be stored then click Save.
  4. Double-click the downloaded file to run it.
  5. Click Yes when the User Account Control window appears.

    A command prompt window will appear to show the system forensic analysis progress.

    command prompt

  6. A browser window will appear after the analysis is completed. You will receive a temporary ID number that will be used as a reference ID when you contact Trend Micro Technical Support.

    temporary ID

  7. A Trend Micro Anti-Threat Toolkit folder will be created inside the directory where the tool was executed. Inside is a subfolder named Output. You will find a .ZIP file with filename including the timestamp and GUID.

    zip file icon

  8. If you have an existing case with Trend Micro Technical Support, submit the Temporary ID number and attach the output .ZIP file to the engineer(s) handling the case. Otherwise, submit a support request to Trend Micro Technical Support. Make sure to include the Temporary ID number and the output file.
Premium
Internal
Rating:
Category:
Configure; Remove a Malware / Virus
Solution Id:
1112223
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.