Ransomware viruses are defined as a category of malware that sabotages documents and makes them unusable, while allowing the user to continue to access the computer. By definition, ransomware attacks force victims to pay a ransom through specifically noted payment methods after which they may grant the victims access to their data. Unfortunately, ransomware decryption is not possible using removal tools.
Ransomlockers are a related type of malware that prevents users from accessing their devices or data by locking their computer. The victim receives a message that may appear to be from local law enforcement, demanding a "fine" to let victims avoid arrest and to unlock their computers.
While not an exhaustive list of ransomware virus types, here are a few notable examples and definitions of ransomware.
WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization's network by exploiting a critical vulnerability in Windows computers, which was patched by Microsoft in March 2017 (MS17-010). The exploit, known as Eternal Blue, was released online in April 2017 in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.
WannaCry searches for and encrypts 176 different file types and appends .WCRY to the end of the file name. It asks users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, it claims the encrypted files will be deleted. However, Symantec has not found any code within the ransomware which would cause files to be deleted.
Petya is a Trojan horse ransomware that encrypts files on the compromised computer. Similar to WannaCry, Petya uses the EternalBlue exploit as one of the means to propagate itself. However, it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they have patched against EternalBlue.
Our 123 million sensors record thousands of threat events per second from 157 countries and block 142 million threats daily. Use intel from the world’s largest civilian threat network to your advantage—download ISTR 24 now.
Symantec protects customers against ransomware through layered defenses across multiple product lines, guarding multiple attack vectors and targets including email, web, endpoints, and data center servers. SONAR behavior detection technology also proactively protects against infections.
Endpoint: Symantec Endpoint Protection and Norton
Symantec Endpoint Protection (SEP) and Norton have blocked any attempt to exploit the vulnerability used by WannaCry since April 24, before WannaCry first appeared, using a combination of technologies. In fact, the Advanced Machine Learning feature alone in SEP proactively blocked all WannaCry infections on day zero, without any updates. All SEP versions including SEP 14, SEP Cloud and SEP Small Business Edition have these automatic protections available against WannaCry. See Details and Recommendations section below for more information.
Email: Symantec Email Security.cloud and Symantec Messaging Gateway
Symantec Email Security.cloud and Symantec Messaging Gateway products provide automatic protection against WannaCry for email-based attacks.
Web: Symantec Secure Web Gateway
Symantec Secure Web Gateway (SWG) blocks access to malicious websites and downloads that might contain ransomware. SWG solutions include ProxySG, WSS, GIN, Content and Malware Analysis, Security Analytics, and SSLV.
Workload: Symantec Data Center Security: Server Advanced
Symantec Data Center Security: Server Advanced (DCS:SA) intrusion prevention policies block WannaCry 'out of the box'. All three levels of Symantec DCS:SA policies; Windows 6.0 (and up) Basic, Hardening, and Whitelisting block the WannaCry ransomware attack from dropping malicious executables onto systems. Customers not deploying full intrusion prevention capabilities can apply targeted intrusion prevention policies to block execution of ransomware.
Note: See the Data Center Security Server ransomware blog post for additional details and instructions.
Endpoint Management: Symantec IT Management Suite
Symantec IT Management Suite (ITMS) provides vulnerability patching and updates for endpoints and data center servers. The Security Update for Microsoft Windows SMB Server (4013389) patch, which protects against WannaCry, was released in March by Microsoft, and ITMS has been supporting it from the same date.
Note: ITMS 7.5 will patch Windows 7/8.1 systems, however ITMS 7.6 or newer is required to patch Windows 10 systems.
Cyber Security Services: Customers can benefit from Symantec's Managed Security Services for monitoring WannaCry alerts and detect ransomware spread within their organization. Symantec can also provide Incident Response Services including readiness, hunting, and response services for WannaCry victims.
View the detailed overview of how Symantec Products protect you from Wannacry and other Ransomware.
Symantec recommends that customers have the following technologies enabled for full proactive protection:
Note: Symantec Endpoint Protection customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by advanced machine learning.