How to protect and remove ransomware?

In 2016 we are starting to see a spiralling increase in ransomware attacks, which many are becoming more sophisticated, harder to detect and prevent. Ransomware attacks can be more crippling and some companies may struggle to recover.

Many businesses are still under-prepared with about 62% of companies who lack in confidence about their ability to confront the threat of ransomware.

The more mobile workers, complex and distributed networks as well as the more connected devices means that the perimeter is going to be harder to defend and the vulnerabilities are going to be harder to exploit.

What is Ransomware?

Ransomware is a category of malware which restricts users from accessing their devices or data. ransomware attackers will force their victims to pay the ransom through the specifically noted payment methods and only after that they will grant the victims access to their computers or to their data.

By using ransomlockers, the attacker will then pretend to be the local law enforcement, who demand a “fine” to let the victims to avoid arrest and to unlock their computers.

Cryptolocker is a ransomware variant where malware often encrypts the users’ files and often deletes the original copy. The attacker will request a ransom for the files to be unencrypted. Not only are files which are on the local computer damaged but also often the files on any shared or attached network drives to which the computer has write access.

Ransomware can travel through email or could be hidden in the downloadable files and programmes which are from corrupted sites and applications.

How to prevent ransomware attacks?

Here are five simple steps that you can follow to avoid a ransomware infection:

  1. Backup your computers and servers regularly – Need to make sure that you regularly backup the files on both the clients computers and servers. You need to either backup the files when the computer is offline or you can use a system that networked computers and servers cannot write to. If you do not have a dedicated backup software’s, you can also make a copy of your important files on a removable media device. Then eject and remove the device; do not leave the removable media device plugged in.
  2. Lock down mapped network drives by securing them with a password and access control restrictions – For files on network drives use read-only access, unless it is completely necessary to have the write access for these files. By restricting the user permissions, limits which of the files the threats can encrypt.
  3. Deploy and enable the following protections from the Symantec Endpoint Protection Manager:
    1. IPS – The IPS blocks some of the threats that your traditional virus definitions alone cannot stop. IPS is the best defence against the drive-by downloads, which can occur when software is unintentionally download from the internet. Attackers will often use exploit kits to deliver a web-based attack like Cryptolocker through the drive-by download.
    2. SONAR – This is a behavioural-based protection which is another crucial defence against malware. It prevents the double executable file names of the ransomware variants like Cryptolocker from running. In the virus and spyware protection policy, Click SONAR > Enable SONAR.
    3. Download Insight – You can modify the download insight in a virus and spyware. The high security policy to quarantine the files which have not been proven yet to be safe by the Symantec customer base.
  4. Download the latest patches for the web application frameworks, web-browsers and web-browser plug-ins – Attacking exploit kits cannot deliver the drive-by downloads unless there is an older version of a plug-in to exploit an example would be Flash. Although historically the attacks would have been delivered through phishing and web-browsers. More recently, the attacks are being delivered through the vulnerable web-applications for example; WordPress, Joomla and JBoss.
  5. Use an email security product to handle email safely – The Cryptolocker is often spread through the spam emails that will contain malicious attachments. Scanning the inbound emails for any threats with a dedicated mail security product or service is critical to keep ransomware and other malware out of your company.

All of the simple steps will help you and your business to avoid ransomware infection. For more information about the Symantec Endpoint Protection software, speak to one of ServerLink account managers today.

symantec endpoint protection image of software packaging and symantec logo

How to remove ransomware?

Unfortunately, there is no ransomware or Cryptolocker removal tool. Instead, if your business or your client’s computers do get infected with ransomware and you find that your data is encrypted. Here are some steps to follow to remove ransomware:

  1. Do not pay the ransom – You have no guarantee that the attacker will give you the method to unlock your computers or decrypt the files. As well as this if you pay the ransom you are giving the attacker money which will fund additional attacks against other users.
  2. Isolate the infected computer before the ransomware can attack network drives to which it has access – By isolating the infected computers could try and reduce the chances of ransomware spreading to other areas on the network drives.
  3. Use Symantec Endpoint Protection Manager to update the virus definitions and scan the client computers – The new definitions are more likely to detect and remediate the ransomlockers. Symantec Endpoint Protection Manager will automatically download the virus definition to the client and as long as the client is managed as well as it is connected to the Symantec Endpoint Protection Manager. In the Symantec Endpoint Protection Manager Click Clients, right-click the group, and click run a command on the group > update content and scan.
  4. Restore damaged files from a known good backupLike many other security products, Symantec Endpoint Protection cannot decrypt the files which have been sabotaged by ransomlockers.
  5. Submit the malware to Symantec Security Response – If you can identify the malicious email or executable, you can submit it to the Symantec Security Response. These samples can enable Symantec and create new signatures which can help improve defences against ransomware.

To conclude, ransomware is increasing every day and many businesses are still struggling to recover from the attacks. Ransomware is a type of malware and Cryptolocker is a variant of ransomware which are both being used by attackers every day.

There are five simple steps to follow to avoid ransomware infection. As well as this there are some steps to help you to remove ransomware if you or your client’s computers which are infected. Remember Do Not Pay the Ransom.

Contact one of ServerLink’s sales team for more information about Symantec’s Endpoint Protection Software, which is suggested by the team as a good line of defence.

It is not only businesses and their clients who are affected by ransomware, it is also the NHS Trust and increasing attacks at Universities.