Trend Micro has seen a dramatic rise of ransomware-related issues, especially the sophisticated Crypto-Ransomware. The issue concerns both home and commercial users. Like many other cyber threats, ransomware has become more complex and advanced over time. Thus, the prevention and protection become more challenging.
Ransomware can enter an organization through many vectors, such as email spam, phishing attacks, or malicious web downloads. For highest level of protection, organizations are encouraged to deploy multiple layers of protection on endpoint, gateway, and mail servers.
The image below shows a typical ransomware infection chain. For more details about infection chain, refer to this article: Mitigating the TROJ_CRYPWALL (also known as Cryptowall) v3 using Trend Micro products.
This article discusses Trend Micro's recommended configuration on various products and important software updates to better protect against and combat ransomware.
Consumer (Home) customers may visit the following site: Consumer (Home) Customers' Guide on Ransomware: Introduction, Prevention and Trend Micro Security Solutions
Frequently Asked Questions (FAQs) about Ransomware
Trend Micro has created a Computer Based Training (CBT) module for customers to help answer the FAQs about Ransomware. Please click here to view the module.
Trend Micro Solutions and Best Practice Configuration
Trend Micro has several solutions leveraging the Trend Micro™ Smart Protection Network™. It helps administrators block ransomware threats from possible points of infection. Get the latest versions of these solutions, including service packs and critical patches, from the Trend Micro Download Center.
OfficeScan and Worry-Free Business Security
Both of these Trend Micro’s corporate endpoint protection products contain key technologies that are highly recommended to be enabled to protect against ransomware: Web Reputation Services and Behavior Monitoring. To enable and configure these options, follow these articles:
- OSCE: Enabling the Ransomware Protection feature in OfficeScan 11.0 SP1
- WFBS: Enabling the Ransomware Protection feature in Worry-Free Business Security 9.0 SP3
- WFBS-SVC: Enabling ransomware protection for Worry-Free Business Security Services (WFBS-SVC)
For more detailed configuration steps, refer to these articles:
- OfficeScan Best Practice Configuration
- Worry-Free Business Security (including Services) Best Practice Configuration
Endpoint Application Control
Administrators who wish to have an additional layer of protection on endpoints, such as prevention of unwanted and unknown applications (like ransomware and 0-day malware) from executing, may deploy policies to block untrusted EXE files.
Customers who have purchased one of Trend Micro Smart Protection Suites may already have the license for this protection, but have not implemented it yet. To install and configure policies, refer to the following KB:
For more detailed configuration steps, refer to the document: Endpoint Application Control Guide.
Learn about ways Deep Security can protect servers from the effects of ransomware by following the article, Ransomware Detection and Prevention in Deep Security.
You can also download and apply the following critical patches to add new widgets for ransomware monitoring:
- Deep Security Manager 9.6 Service Pack (SP) 1 Patch 1 Critical Patch 1 (9.6.4000)
- Deep Security Manager 9.5 Service Pack (SP) 1 Patch 3 Critical Patch 1 (9.5.7200)
For more details, check this article: Adding new widgets for ransomware monitoring in Deep Security Manager (DSM).
The following articles will guide you through further enhancing protection on your Messaging and Gateway products:
- SMID: How to enable ransomware category in ScanMail for IBM Domino (SMID) 5.6 for Windows
- SMEX: Ransomware protection using ScanMail for Exchange (SMEX)
- TMCAS: Enabling the Ransomware Protection feature on Trend Micro Cloud App Security (TMCAS)
- IMSVA: Enabling the Ransomware Protection feature in InterScan Messaging Security Suite (IMSS) or InterScan Messaging Security Virtual Appliance (IMSVA)
- HES: Ransomware protection using Hosted Email Security (HES)
- IWSVA: Configuring URL Filtering policy to block Ransomware on InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2
References: Protection Modules Introduction
Since email is a popular vector for attackers to deliver ransomware, effective blocking of certain non-essential file types such as Executables or Scripts is also recommended. Administrators may block these file types by true file type (recommended) or by specific extension names. Customers can use the following messaging products to block email attachments. To configure these products, refer to this article on Filtering and blocking email attachments using Trend Micro's Messaging products.
- ScanMail for Microsoft Exchange
- Hosted Email Security
- InterScan Messaging Security
Macro virus is one of the most common types of file infectors in Microsoft Office documents and compressed files. For enhanced security, configure the macro file scanning option using Trend Micro products.
Messaging Product Users are recommend to enable Web Reputation Service and New-Born URLs handling function in order to effectively catch new wave of malicious SPAM campaign. Check out the list of messaging products with the New-Born URLs handling function.
Email Reputation Services users are strongly encouraged to enable the Quick Information List (QIL) filtering level for IP reputation and set the level to at least Level 2.
The following articles will guide you through further enhancing protection on your Network Defense products:
Control Manager (TMCM) offers Ransomware monitoring capabilities, providing information about the detection statistics and affected users. The following article will help you understand the information provided by TMCM: Checking the information displayed in the Ransomware Prevention sub-page of the TMCM dashboard.
Victims who have been affected by ransomware can generally attest to the pain and complexity of trying to recover after such an attack. Increased user awareness and vigilance can save a potential victim time and money in the unfortunate event of an attack. Preventing the attack in the first place is still the most effective way of dealing with this threat.
The following is a list of some preventative measures that users and administrators can employ as best practices:
- Regular back ups of critical data in case of any sort of loss (not just ransomware).
- Timely application of software patches from OS and third-party vendors.
- Exercise good email and website safety practices – downloading attachments, clicking URLs or executing programs only from trusted sources.
- Encourage users to alert IT Security team of potentially suspicious emails and files.
- Ensure your security products are updated regularly and perform periodic scans.
- Implement application whitelisting on your endpoints to block all unknown and unwanted applications.
- Regular user education around the dangers and signals of social engineering.
Trend Micro continues to devote countless hours of research into new ways of combating these threats and to update our users with the latest information and recommendations through our Security Intelligence Blog and Knowledge Base.
In addition, your authorized Trend Micro support representative is available for any questions regarding the configuration options mentioned in this advisory to combat ransomware.
Trend Micro has developed a tool to decrypt files that were encrypted by certain Ransomware families. You can refer to Downloading and Using the Trend Micro Ransomware File Decryptor for instructions in using the Decryption Tool.
Trend Micro™ Ransomware Screen Unlocker Tool is designed to eliminate Lock Screen ransomware from your infected PC in two scenarios. Refer to this KB article for details: Downloading and using Trend Micro™ Ransomware Screen Unlocker Tool.
- Download the Anti-Threat Toolkit by clicking your operating system version below:
- Read the Trend Micro License Agreement. Once you click I Accept, the download will start.
- Choose the preferred directory where the tool will be stored then click Save.
- Double-click the downloaded file to run it.
- Click Yes when the User Account Control window appears.
A command prompt window will appear to show the system forensic analysis progress.
- A browser window will appear after the analysis is completed. You will receive a temporary ID number that will be used as a reference ID when you contact Trend Micro Technical Support.
- A Trend Micro Anti-Threat Toolkit folder will be created inside the directory where the tool was executed. Inside is a subfolder named Output. You will find a .ZIP file with filename including the timestamp and GUID.
- If you have an existing case with Trend Micro Technical Support, submit the Temporary ID number and attach the output .ZIP file to the engineer(s) handling the case. Otherwise, submit a support request to Trend Micro Technical Support. Make sure to include the Temporary ID number and the output file.