5 steps for preventing ransomware
Hardening Your Environment Against Ransomware
To avoid ransomware infection, follow these steps:
1. Back up your computers and servers regularly.
Regularly back up the files on both the client computers and servers. Either back up the files when the computers are offline or use a system that networked computers and servers cannot write to. If you do not have dedicated backup software, you can also copy the important files to removable media. Then eject and unplug the removable media; do not leave the removable media plugged in.
2. Lock down mapped network drives by securing them with a password and access control restrictions.
Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.
3. Deploy and enable the following Endpoint Protection:
Implement and managed endpoint antivirus on all endpoint to prevent ransomware, most ransomware can be detected by popular antivirus.
4. IPS/IDS
IPS blocks some threats that traditional virus definitions alone cannot stop. IPS is the best defense against drive-by downloads, which occurs when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.
See Enabling network intrusion prevention or browser intrusion prevention.
5. Download the latest patches for web application frameworks, web browsers, and web browser plug-ins.
Attacking exploit kits cannot deliver drive-by downloads unless there is an old version of a plug-in to exploit, such as Flash. Historically, attacks were delivered through phishing and web browsers. Recently, more attacks are delivered through vulnerable web applications, such as JBOSS, WordPress, and Joomla.
6. Use an email security product to handle email safely.
CryptoLocker is often spread through spam emails that contain malicious attachments. Scanning inbound emails for threats with a dedicated mail security product or service is critical to keep ransomware and other malware out of your organization. For important advice and recommendations, see:
How to remove ransomware
There is no ransomware removal tool or CryptoLocker removal tool. Instead, if your client computers do get infected with ransomware and your data is encrypted, follow these steps:
1. Do not pay the ransom.
If you pay the ransom:
· There is no guarantee that the attacker will supply a method to unlock your computer or decrypt your files.
· The attacker uses the ransom money to fund additional attacks against other users.
2. Isolate the infected computer before the ransomware can attack network drives to which it has access.
3. Update the virus definitions and scan the client computers.
New definitions are likely to detect and remediate the ransomware. Configure Endpoint Protection to automatically downloads virus definitions to the client, as long as the client is managed and connected to the Symantec Endpoint Protection Manager.
4. Restore damaged files from a known good backup.
No security Endpoint Protection cannot decrypt the files that ransom lockers have sabotaged.
Submit the malware to antivirus provider.
If you can identify the malicious email or executable, submit it to antivirus provider.
