Ransomware Viruses
What Is Ransomware?
Ransomware viruses are a category of malware that sabotages documents and makes then unusable, but the computer user can still access the computer. Ransomware attackers force their victims to pay the ransom through specifically noted payment methods after which they may grant the victims access to their data. Unfortunately, ransomware decryption is not possible using removal tools.
Ransomlockers are a related type of malware that prevents users from accessing their devices or data by locking their computer. The victim receives a message that may appear to be from local law enforcement, demanding a "fine" to let victims avoid arrest and to unlock their computers.
Types of Ransomware
While not an exhaustive list of ransomware virus types, here are a few notable examples of kinds of ransomware.
Petya
Petya is a Trojan horse ransomware that encrypts files on the compromised computer. Similar to WannaCry, Petya uses the EternalBlue exploit as one of the means to propagate itself. However it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they have patched against EternalBlue.
WannaCry
WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization's network by exploiting a critical vulnerability in Windows computers, which was patched by Microsoft in March 2017 (MS17-010). The exploit, known as "Eternal Blue" was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.
WannaCry searches for and encrypts 176 different file types and appends .WCRY to the end of the file name. It asks users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days it claims the encrypted files will be deleted. However Symantec has not found any code within the ransomware which would cause files to be deleted.
How Symantec Products Keep You Safe Against Ransomware
Defense in depth across all control points is required to stop ransomware
Symantec Email Security.cloud, Symantec Messaging Gateway
- Perform static analysis of malicious indicators within files or documents
- Detonate potentially malicious scripts in sandbox before email delivery and block
if signs of malicious behavior evident - Block malicious links with real-time link following before email delivery and link analysis at click-time post delivery
Web
Symantec Secure Web Gateway Solutions1
- Block malicious sites including command & control and encryption server
- Analyze files for suspicious behavior from unknown URLs for ransomware activity using multi-layer and live threat feeds
- Malware Analysis looks for ransomware-specific behaviors and detonates unknown files in a sandbox before delivering
Endpoint
Symantec Endpoint Protection 142, ATP: Endpoint (EDR)
- Advanced Machine Learning detects polymorphic malware
- Emulator unpacks evasive malware while Behavior Analysis uncovers ransomware actions
- IPS blocks ransomware’s attempt to download encryption keys
- Isolate endpoints when ransomware is detected to prevent lateral movement
- Hunt for ransomware IoCs across all endpoints
Workload
Symantec Data Center Security: Server Advanced
- ‘Out of the box’ IPS rules can prevent ransomware executables from being dropped or executed on the system
- Customers not using full IPS protections can deploy policies to block specific malware executables
- Additional rules can be applied to block all in/outbound SMB traffic
- Ransomware can also be blocked by adding executable hashes to global no-run lists
Symantec 2018 Internet Security Threat Report
Ransomware shifts from big score to commodity, lowering prices while increasing variants by 46 percent.
Blogs
WannaCry: Ransomware attacks show strong links to Lazarus group
Similarities in code and infrastructure indicate close connection to group that was linked to Sony Pictures and Bangladesh Bank attacks.An Integrated Defense Strategy to Fight Ransomware at Every Attack Point
Symantec's advanced ransomware protection solutions offer integrated defense across ALL control points.
Learn more how Symantec provide protection against WannaCry Ransomware.
WannaCry Ransomware: Top 10 Ways Symantec Incident Response Can Help
How IR can detect, remediate and protect against future ransomware attacks.WannaCry Ransomware: 6 Implications for the Insurance Industry
This article illustrates the emerging risks that the insurance industry faces when it comes to cyber attacks.Can files locked by WannaCry be decrypted: A technical analysis
The WannaCry ransomware worm has dominated the global news cycle since it started spreading.
Learn how this ransomware attack spread and how to protect your network from similar attacks.
Symantec protects customers against ransomware through layered defenses across multiple product lines, guarding multiple attack vectors and targets including email, web, endpoints, and data center servers. SONAR behavior detection technology also proactively protects against infections.
Endpoint: Symantec Endpoint Protection and Norton
Symantec Endpoint Protection (SEP) and Norton have blocked any attempt to exploit the vulnerability used by WannaCry since April 24, before WannaCry first appeared, using a combination of technologies. In fact, the Advanced Machine Learning feature alone in SEP proactively blocked all WannaCry infections on day zero, without any updates. All SEP versions including SEP 14, SEP Cloud and SEP Small Business Edition have these automatic protections available against WannaCry. See Details and Recommendations section below for more information.
Email: Symantec Email Security.cloud and Symantec Messaging Gateway
Symantec Email Security.cloud and Symantec Messaging Gateway products provide automatic protection against WannaCry for email-based attacks.
Web: Symantec Secure Web Gateway
Symantec Secure Web Gateway (SWG) blocks access to malicious websites and downloads that might contain ransomware. SWG solutions include ProxySG, WSS, GIN, Content and Malware Analysis, Security Analytics, and SSLV.
Workload: Symantec Data Center Security: Server Advanced
Symantec Data Center Security: Server Advanced (DCS:SA) intrusion prevention policies block WannaCry 'out of the box'. All three levels of Symantec DCS:SA policies; Windows 6.0 (and up) Basic, Hardening, and Whitelisting block the WannaCry ransomware attack from dropping malicious executables onto systems. Customers not deploying full intrusion prevention capabilities can apply targeted intrusion prevention policies to block execution of ransomware.
Note: See the Data Center Security Server ransomware blog post for additional details and instructions.
Endpoint Management: Symantec IT Management Suite
Symantec IT Management Suite (ITMS) provides vulnerability patching and updates for endpoints and data center servers. The Security Update for Microsoft Windows SMB Server (4013389) patch, which protects against WannaCry, was released in March by Microsoft, and ITMS has been supporting it from the same date.
Note: ITMS 7.5 will patch Windows 7/8.1 systems, however ITMS 7.6 or newer is required to patch Windows 10 systems.
Cyber Security Services: Customers can benefit from Symantec's Managed Security Services for monitoring WannaCry alerts and detect ransomware spread within their organization. Symantec can also provide Incident Response Services including readiness, hunting, and response services for WannaCry victims.
View the detailed overview of how Symantec Products protect you from Wannacry and other Ransomware.
Details and recommendations for Symantec Endpoint Protection and Norton customers
Symantec recommends that customers have the following technologies enabled for full proactive protection:
- Intrusion prevention
- SONAR behavioral detection technology
- Advanced machine learning
Note: Symantec Endpoint Protection customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by advanced machine learning.