Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products

    • Updated:
    • 20 Oct 2016
    • Product/Version:
    • Cloud App Security 1.0
    • Deep Discovery Inspector 3.8
    • Endpoint Application Control 1.0
    • Hosted Email Security 1.9.6
    • Hosted Email Security 1.9.8
    • Hosted Email Security 2.0
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • OfficeScan 11.0
    • ScanMail for Exchange 11.0
    • ScanMail for IBM Domino 5.6 Linux
    • ScanMail for IBM Domino 5.6 Windows
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

Trend Micro has seen a dramatic rise of ransomware-related issues, especially the sophisticated Crypto-Ransomware. The issue concerns both home and commercial users. Like many other cyber threats, ransomware has become more complex and advanced over time. Thus, the prevention and protection become more challenging.

Ransomware can enter an organization through many vectors, such as email spam, phishing attacks, or malicious web downloads. For highest level of protection, organizations are encouraged to deploy multiple layers of protection on endpoint, gateway, and mail servers.

The image below shows a typical ransomware infection chain. For more details about infection chain, refer to this article: Mitigating the TROJ_CRYPWALL (also known as Cryptowall) v3 using Trend Micro products.

CRYPWALL infection chain

This article discusses Trend Micro's recommended configuration on various products and important software updates to better protect against and combat ransomware.

Details
Public

Frequently Asked Questions (FAQs) about Ransomware

Trend Micro has created a Computer Based Training (CBT) module for customers to help answer the FAQs about Ransomware. Please click here to view the module.

Trend Micro Solutions and Best Practice Configuration

Trend Micro has several solutions leveraging the Trend Micro™ Smart Protection Network™. It helps administrators block ransomware threats from possible points of infection. Get the latest versions of these solutions, including service packs and critical patches, from the Trend Micro Download Center.

OfficeScan and Worry-Free Business Security

Both of these Trend Micro’s corporate endpoint protection products contain key technologies that are highly recommended to be enabled to protect against ransomware: Web Reputation Services and Behavior Monitoring. To enable and configure these options, follow these articles:

For more detailed configuration steps, refer to these articles:

Endpoint Application Control

Administrators who wish to have an additional layer of protection on endpoints, such as prevention of unwanted and unknown applications (like ransomware and 0-day malware) from executing, may deploy policies to block untrusted EXE files.

Customers who have purchased one of Trend Micro Smart Protection Suites may already have the license for this protection, but have not implemented it yet. To install and configure policies, refer to the following KB:

TMEAC: Best Practice Configuration against Ransomware and other Malware Threats with Endpoint Application Control (TMEAC) 2.0 Patch 1

For more detailed configuration steps, refer to the document: Endpoint Application Control Guide.

Deep Security

Learn about ways Deep Security can protect servers from the effects of ransomware by following the article, Ransomware Detection and Prevention in Deep Security.

You can also download and apply the following critical patches to add new widgets for ransomware monitoring:

  • Deep Security Manager 9.6 Service Pack (SP) 1 Patch 1 Critical Patch 1 (9.6.4000)
  • Deep Security Manager 9.5 Service Pack (SP) 1 Patch 3 Critical Patch 1 (9.5.7200)

For more details, check this article: Adding new widgets for ransomware monitoring in Deep Security Manager (DSM).

The following articles will guide you through further enhancing protection on your Messaging and Gateway products:

References: Protection Modules Introduction

Since email is a popular vector for attackers to deliver ransomware, effective blocking of certain non-essential file types such as Executables or Scripts is also recommended. Administrators may block these file types by true file type (recommended) or by specific extension names. Customers can use the following messaging products to block email attachments. To configure these products, refer to this article on Filtering and blocking email attachments using Trend Micro's Messaging products.

  • ScanMail for Microsoft Exchange
  • Hosted Email Security
  • InterScan Messaging Security

Macro virus is one of the most common types of file infectors in Microsoft Office documents and compressed files. For enhanced security, configure the macro file scanning option using Trend Micro products.

Messaging Product Users are recommend to enable Web Reputation Service and New-Born URLs handling function in order to effectively catch new wave of malicious SPAM campaign. Check out the list of messaging products with the New-Born URLs handling function.

Email Reputation Services users are strongly encouraged to enable the Quick Information List (QIL) filtering level for IP reputation and set the level to at least Level 2.

The following articles will guide you through further enhancing protection on your Network Defense products:

Control Manager (TMCM) offers Ransomware monitoring capabilities, providing information about the detection statistics and affected users. The following article will help you understand the information provided by TMCM: Checking the information displayed in the Ransomware Prevention sub-page of the TMCM dashboard.

The following article will guide you through further enhancing protection on your mobile products including Mobile Security for Android and Mobile Security for Enterprise:

TMMS: Mobile Ransomware: Prevention and Best practice

Prevention

Victims who have been affected by ransomware can generally attest to the pain and complexity of trying to recover after such an attack. Increased user awareness and vigilance can save a potential victim time and money in the unfortunate event of an attack. Preventing the attack in the first place is still the most effective way of dealing with this threat.

The following is a list of some preventative measures that users and administrators can employ as best practices:

  • Regular back ups of critical data in case of any sort of loss (not just ransomware).
  • Timely application of software patches from OS and third-party vendors.
  • Exercise good email and website safety practices – downloading attachments, clicking URLs or executing programs only from trusted sources.
  • Encourage users to alert IT Security team of potentially suspicious emails and files.
  • Ensure your security products are updated regularly and perform periodic scans.
  • Implement application whitelisting on your endpoints to block all unknown and unwanted applications.
  • Regular user education around the dangers and signals of social engineering.

Trend Micro continues to devote countless hours of research into new ways of combating these threats and to update our users with the latest information and recommendations through our Security Intelligence Blog and Knowledge Base.

In addition, your authorized Trend Micro support representative is available for any questions regarding the configuration options mentioned in this advisory to combat ransomware.

Available Tools

Trend Micro has developed a tool to decrypt files that were encrypted by certain Ransomware families. You can refer to Downloading and Using the Trend Micro Ransomware File Decryptor for instructions in using the Decryption Tool.

Trend Micro™ Ransomware Screen Unlocker Tool is designed to eliminate Lock Screen ransomware from your infected PC in two scenarios. Refer to this KB article for details: Downloading and using Trend Micro™ Ransomware Screen Unlocker Tool.

Ransomware collector is a special type of Anti-Threat Toolkit (ATTK). It is a command line tool used for collecting the ransomware sample and encrypted files for analysis.

Download Ransomware Collector (32bit)

Download Ransomware Collector (64bit)

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1112223
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.