Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Ransomware Detection and Prevention with Deep Security Intrusion Prevention

    • Updated:
    • 27 May 2021
    • Product/Version:
    • Deep Security
    • Deep Security 20.0
    • Platform:
    • N/A N/A

Trend Micro Deep Security can protect servers from the effects of ransomware in multiple ways. It has protection capabilities which generically defend servers against malicious software, including ransomware. Deep Security includes:

  • Anti-Malware scanning, leveraging data from the Smart Protection Network, to stop malicious software from attacking a server
  • Network security, including intrusion prevention (IPS) which stops vulnerabilities from being exploited and the resulting potential installation of malicious software (including ransomware)
  • System security, including integrity monitoring which can provide visibility of system changes that represent malicious software activity
  • Web Reputation, which blocks outbound communication to known bad domains

Deep Security protection modules also contain ransomware-specific defense capabilities, which are listed below:

This list is current as of document publishing. Trend Micro’s threat team is constantly looking for ways to enhance the protection that Deep Security can provide and the list will grow over time.

Intrusion Prevention (IPS)

Deep Security detects and prevents ransomware command and control (C&C) activity over the network. Instead of focusing on domains and IP addresses, these rules scan network traffic for known communication techniques used by ransomware.

Network File Share Protection

Trend Micro Deep Security provides the following Intrusion Prevention rules which specifically address the ransomware technique of encrypting files on mounted shares (Windows or Linux – Samba).

  • Rule name: 1007596 - Identified Suspicious File Extension Rename Activity Over Network Share
    This rule provides visibility into ransomware activity but in most cases does not prevent ransomware encryption activity. This rules monitors for known techniques that ransomware uses in changing file extensions (e.g. .zzz, .encryptedRSA, .crypt etc.). There’s a check for ~50 file extensions in the rule. The rule also provides an option to exclude and include certain file extensions to maximize the benefits of this rule

    The default settings for the rule are:
    • Detect-only
    • Recommended on windows computers
  • Rule Name: 1007598 - Identified Suspicious Rename Activity Over Network Share
    This rule can be used to protect a server from clients infected with ransomware. This rule monitors and limits file change activity over the network. More specifically, this rule prevents the number of file renames in a specific period of time (N renames in T1 seconds results in limiting any rename activity for T2 seconds from the malicious source IP Address).

    • Detect-only
    • Not recommended by default. The rule must be manually assigned.
    • N=0, T1=0, T2=0 (no action by default)
  • Rule Name: 1008679 - Identified BADRABBIT Ransomware Propagation Over SMB
    This DPI rule blocks lateral movement of BADRABBIT Ransomware over SMB

    Rule 1008679 Badrabbit ransomware

Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.