Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Best practices in preventing Ransomware infection using OfficeScan (OSCE) and Worry-Free Business Security/Services (WFBS/WFBS-SVC)

    • Updated:
    • 17 Oct 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Worry-Free Business Security Services 5.7
    • Worry-Free Business Security Services for Dell 5.6
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Standard
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
Summary

What is Ransomware?

Ransomware refers to a class of malware that holds a computer "hostage" until the user pays a particular amount or abides by specific instructions. The ransomware then restricts access to the system when executed. Some cases of ransomware also repeatedly show messages that force users into paying the “ransom” or performing the desired action. There are even ransomware variants that encrypt files found on the system's hard drive. Users are then forced to pay up in order to decrypt the important or critical files that were altered by the ransomware due to file encryption.

Cybercriminals behind this threat made use of online payment methods such as Ukash, PaySafeCard, MoneyPAK or Bitcoin as a way for users to pay the ransom.

More information can be found here:

This article contains recommended practices for preventing ransomware from infecting machines on your network.

This malware is also known as:

  • Trojan:Win32/Crilock.A
  • Trojan-Ransom.Win32.Blocker.cgmz
  • TROJ_RANSOM
  • TROJ_CRILOCK
  • Cryptolocker
  • Trojan-Ransom.Win32.Foreign.acc
  • Trojan.Ransom.FH
  • Trojan:Win32/Ransom.GT
Details
Public

Prevention

  1. Implementing OSCE’s “Best Practice” configuration against malware threats is very important in preventing this malware from coming into the machine/network. View the guide here.

    Highlights:

    1. Smart Scan has a larger coverage and is updated frequently. Newer samples of Ransomware are processed and pushed to cloud updates a lot faster compared to the traditional scan method.
    2. Enable Web Reputation Services (WRS) and make sure to implement this for both INTERNAL and EXTERNAL networks. This blocks infection vectors, as well as communication vectors.
    3. Enable Behavior Monitoring as it proactively detects threats through behavior analysis. It also has a feature that will prompt users before executing a “newly encountered” file, which is a common characteristic of ransomware.
       
      The “newly encountered” file prompt feature is only available in OSCE 10.6 with Service Pack 3 or later versions.

      Enable the following settings under Behavior Monitoring:

      Ransomware Protection

      • Protect documents against unauthorized encryption or modification.
      • Automatically backup and restore files changed by suspicious programs.
      • Block processes commonly associated with ransomware.
      • Enable program inspection to detect and block compromised executable files.
         
        Program inspection provides increased security if you select "Known and potential threats" in the "Threats to block" drop-down list.

      Anti-exploit Protection

      • Terminate programs that exhibit abnormal behavior associated with exploit attacks.
    4. Enable Smart Feedback. The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threat harvesting, analysis, and resolution. It does not only help increase the detection rate, but also provides a quick real-world scenario. It also benefits customers to help ensure they get the latest protection in the shortest possible time.
  2. Make sure that you have a mail scanning solution implemented on your network. Several variants of ransomware were detected to have originated from spam emails as malicious attachments.

Cleanup/Sample Collection

In case the OSCE product is unable to remove the Ransomware infection on a machine, use a separate tool called the “AntiRansomware Tool”. Instructions on how to use it can be found here.

You may also use the ATTK Tool to clean and/or collect malicious samples for submission to the Trend Micro Business Support website for further checking. The ATTK Tool can be deployed via the OSCE Toolbox for ease and convenience.

Prevention

  1. Implementing WFBS Best Practice configuration against malware threats is very important in preventing this malware from coming into the machine/network.

    Highlights:

    • Smart Scan has a larger coverage and is updated very frequently. Newer samples of Ransomware are processed and pushed to cloud updates a lot faster compared to the traditional scan method.
    • Enable the scanning of POP3 messages to prevent malicious attachments from entering and eventually infecting the machine.
    • Enable Web Reputation Services (WRS) and make sure you implement this for both In-Office and Out-of-Office networks. This blocks infection vectors, as well as communication vectors.
    • Enable Behavior Monitoring as it proactively detects threats through behavior analysis, which means there will be an extra layer of protection on the machine.
    • Enable Smart Feedback. The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threat harvesting, analysis, and resolution. It does not only help increase the detection rate but also provides a quick real-world scenario. It also benefits customers to help ensure they get the latest protection in the shortest possible time.
  2. Make sure that you have a mail scanning solution implemented on your network (IMSVA, SMEX, HES, etc.). Several variants of ransomware were detected to have originated from spam emails as malicious attachments.

Cleanup and sample collection

In case WFBS is unable to remove the Ransomware infection on a machine, you may use a separate tool called the AntiRansomware Tool.

You may also use the ATTK Tool to clean and/or collect malicious samples for submission to the Trend Micro Business Support website for further checking.

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1099423
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.