Endpoint SWAT: Protect the Endpoint Community

Hi all. 

I was just browsing ransomware topics and happened across a SymantecTV short video, which somewhat explains ransomware as to a child, but at the end it rather weakly indicates that you can clean ransomware with the likes of power eraser.  Obviously these videos are made by the marketing people so there's no point in believing any of it without verification but from a technical standpoint does anybody here know if it has ever proven effective?   Given that removing the encryptor engine means you have no facility to decrypt the files, removing it really accomlishes nothing anyway I would think.  Unless you powered off the moment it began encryption so most files are still intact.  Even then you have to hope there is no way for that stuff to come back. 

And for the life of me, I don't know why, but every security vendor keeps saying "don't pay the ransom".  Just a minor rant here, but I doubt that will deter cybercriminals from the most lucrativec gold rush that ever existed in the cyber domain.  The intelligent ones likely realize that having high unlock rates means the market will not dry up and I might also point out that since the bad guys are always a step ahead, guess what happens if enough people take that advice?  The baddies will be prompted to evolve the game further and more quickly.  For example and if this doesn't exist I'm sure it will soon either way, with encrypting ransomware not only do your files get encrypted, but pehraps they'll threaten to share your stuff online with the world too.  Or maybe a thing where you pay once for decryption, and a second fee for non-sharing.  It's a natural evolution that is only limited by the imagination but it isn't likely to be prompted unless current methods start to become less effective.  And I don't mean antivirus detection rates, I mean if ransomware victims begin to just say no, the bad guys will have to find new ways for victims to have to say yes.  I would think we'd want to keep the enemy contained within known parameters and try to avoid causing them to feel they must innovate on the victim coercion front.  

I am very much hoping that this advice is based off of something more solid than a half-hearted hope that if we all just say no that somehow cybercriminals will throw their hands up in defeat and take up golf or musical instruments.  

Anyway, rants aside, I'm just wondeirng if anybody has observed or heard of Power Eraser doing anyting succesful with ransomware.  And another thought or question:  does Symantec have a specific incident response team for ransom-locked customers or is it just the standard support process? 

Thank you. 

That's funny. Power Eraser was renamed to Threat Analysis Scan awhile back. It's part of SymDiag. It works ok I guess. It's aggressive in that it detects legit software some times as well.

Symantec offers an Incident Response service as well but that will be for something like a breach. You can engage support for thesmaller stuff.

I wonder if maybe that video had only been created back in 2012 or something, before encypting became the norm.  I forget if I checked but shame on me if I criticized outdated content thinking it was current.  Then again, such content should be kept up to date, deleted if obsolete, so I shouldn't have to check relevance (haha yeah right).   

So, if you're a hospital and have ransomware en masse, call incident response, otherwise, better hope it's Teslacrypt.  :)

AFAIK Norton PowerEraser still exists while Threat Analysis formerly known as PowerEraser is part of SymDiag formerly known as SymHelp formerly known as SymDiag. And don't forget the slightly different PowerEraser which can be launched from the SEPM GUI which is not renamed yet.

Symantec's non-existing naming standards are a source of permanent confusion and/or amusement. And if you believe you have understood, they are driving you crazy with strange translations of the non-english versions.

I'm definitely sure the next SEP version won't be 12.2 or 12.5 or 13 (!) or 14 but something completely unforeseeable.

Sorry for off-topic post, couldn't resist :)