Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Worry-Free Business Security (WFBS) / Worry-Free Business Security Services (WFBS-SVC) Checklist for RYUK Ransomware

    • Updated:
    • 4 Nov 2020
    • Product/Version:
    • Worry-Free Business Security Advanced 10.0
    • Worry-Free Business Security Services 6.5
    • Worry-Free Business Security Services 6.6
    • Worry-Free Business Security Standard 10.0
    • Platform:
    • N/A

Distribution of RYUK Ransomware is via banking Trojan like Trickbot and Emotet, MalSpam and Exploits.
Worry-Free Business Security (WFBS) / Worry-Free Business Security Services (WFBS-SVC) has pro-active features that will protect the network from Ransomware Attack.

Trend Micro detects RYUK ransomware as Ransom.Win32.RYUK.

For proactive solution, Behavior Monitoring feature will detect and terminate process that has ransomware like behavior.
In addition, Predictive Machine Learning will detect RYUK as Troj.Win32.TRX.XXPE50FFF037.
Both Behavior Monitoring and Predictive Machine Learning are used to detect unknown threat.


Prevention Recommendations

  1. Make sure all of the machines have WFBS agent installed, have updated Agent and pattern version.
  2. Follow the best configuration practices in the following KB articles:

  3. Change the scan settings of Real-Time Scan and Scheduled Scan from Active Action to Customized Actions.

    For Real Time Scan

    1. Go to Devices.
    2. Select a group.
    3. Click Configure Policy. The Configure Policy: <group name> screen appears.
    4. Click Antivirus/Anti-spyware.
    5. Go to the Actions tab, under For Malware Detections, tick the Set action of Probable malware and set to “Quarantine”.

    For Scheduled Scan

    1. Navigate to Scans > Scheduled Scan.
    2. Under the Settings tab, select a group.
    3. Go to the Actions tab, under For Malware Detections, tick the Set action of Probable malware and set to “Quarantine”.
    1. Go to the Configure Policy screen by performing one of the following:

      • Classic Mode: Go to SECURITY AGENTS and select a group. Click Menu icon (three vertical dots) > Configure Policy.
      • Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
    2. Click the Windows icon.
    3. Go to Scan Settings then under Real-Time Scan Scheduled Scan, select Configure Settings.
    4. Go to the Actions tab, under Virus/Malware, change from Active Action to Customized Action.
    5. Make sure that the action specified for “Probable Malware” is set to “Quarantine”.
    6. It is advisable to apply the same settings for both Manual and Scheduled Scan.
  4. Provision Cloud App Security (TMCAS) to Protect Exchange Online, SharePoint, and OneDrive with the Best Practice, if TMCAS is available.

    For detailed information, refer to the TMCAS BPG.

  5. Network Best Practices.

    • Back up data regularly, keep offline backups, and verify integrity of backup process. Regularly back up critical data to minimize potential damage. A good strategy is keeping critical data in a secure location that would allow the organization to quickly get back on its feet. Practice the 3-2-1 rule: create three backup copies on two different media with one copy stored offsite.

      Refer to the Trend Micro article: World Backup Day: The 3-2-1 Rule.
    • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
    • Use two-factor authentication and strong passwords.
    • Maintain only the most up-to-date version of PowerShell and uninstall older versions. Disable if not needed on certain endpoints.
    • Adhere to the principle of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.
    • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
  6. Email Best Practices.

    • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.(SPF and DKIM).
    • Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails.
    • Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
Configure; Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.