Views:

Prevention

  1. Implementing OSCE’s “Best Practice” configuration against malware threats is very important in preventing this malware from coming into the machine/network. View the guide here.

    Highlights:

    1. Smart Scan has a larger coverage and is updated frequently. Newer samples of Ransomware are processed and pushed to cloud updates a lot faster compared to the traditional scan method. Use this KB article as a guide: Changing scan methods from Conventional to Smart Scan and vice versa in OfficeScan (OSCE).
    2. Enable Web Reputation Services (WRS) and make sure to implement this for both INTERNAL and EXTERNAL networks. This blocks infection vectors, as well as communication vectors. Use this KB article as a guide: Blocking web threats using the Web Reputation Service (WRS) in OfficeScan (OSCE).
    3. Enable Behavior Monitoring as it proactively detects threats through behavior analysis. It also has a feature that will prompt users before executing a “newly encountered” file, which is a common characteristic of ransomware.
       
      The “newly encountered” file prompt feature is only available in OSCE 10.6 with Service Pack 3 or later versions.
       

      Enable the following settings under Behavior Monitoring:

      Ransomware Protection

      • Protect documents against unauthorized encryption or modification.
      • Automatically backup and restore files changed by suspicious programs.
      • Block processes commonly associated with ransomware.
      • Enable program inspection to detect and block compromised executable files.
         
        Program inspection provides increased security if you select "Known and potential threats" in the "Threats to block" drop-down list.
         

      Anti-exploit Protection

      • Terminate programs that exhibit abnormal behavior associated with exploit attacks.
    4. Enable Smart Feedback. The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threat harvesting, analysis, and resolution. It does not only help increase the detection rate, but also provides a quick real-world scenario. It also benefits customers to help ensure they get the latest protection in the shortest possible time. Use this KB article as a guide: Enabling Smart Protection Network and Smart Feedback in OfficeScan (OSCE).
  2. Make sure that you have a mail scanning solution implemented on your network. Several variants of ransomware were detected to have originated from spam emails as malicious attachments.

Cleanup and Sample Collection

In case the OSCE product is unable to remove the Ransomware infection on a machine, use the ATTK Tool to clean and/or collect malicious samples for submission to the Trend Micro Business Support website for further checking.

Prevention

  1. Implementing WFBS Best Practice configuration against malware threats is very important in preventing this malware from coming into the machine/network.

    Highlights:

    • Smart Scan has a larger coverage and is updated very frequently. Newer samples of Ransomware are processed and pushed to cloud updates a lot faster compared to the traditional scan method.
    • Enable the scanning of POP3 messages to prevent malicious attachments from entering and eventually infecting the machine.
    • Enable Web Reputation Services (WRS) and make sure you implement this for both In-Office and Out-of-Office networks. This blocks infection vectors, as well as communication vectors.
    • Enable Behavior Monitoring as it proactively detects threats through behavior analysis, which means there will be an extra layer of protection on the machine.
    • Enable Smart Feedback. The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threat harvesting, analysis, and resolution. It does not only help increase the detection rate but also provides a quick real-world scenario. It also benefits customers to help ensure they get the latest protection in the shortest possible time.
  2. Make sure that you have a mail scanning solution implemented on your network (IMSVA, SMEX, HES, etc.). Several variants of ransomware were detected to have originated from spam emails as malicious attachments.

Cleanup and Sample collection

In case the WFBS product is unable to remove the Ransomware infection on a machine, use the ATTK Tool to clean and/or collect malicious samples for submission to the Trend Micro Business Support website for further checking.