Encryption is now being used as a weapon by cybercriminals to hold hostage critical data from companies and individuals through crypto-ransomware attacks. Regular backups and keeping systems updated are key steps to prevent ransomware, as paying ransoms provides no guarantee files will be recovered and only encourages more attacks. While Symantec Endpoint Protection cannot decrypt files encrypted by ransomware, it provides technologies like IPS, SONAR, and Insight to block threats and detect emerging malware that definitions alone may miss.

1. Encryption is now used as a weapon,
holding companies’ and individuals’
critical data hostage
Internet Security
Threat Report
VOLUME 21, APRIL 2016
600
500
400
300
200
100
Thousands
Growing Dominance of
Crypto-Ransomware
Percentage of new families of misleading apps, fake security
software (Fake AV), locker-ransomware, and crypto-ransomware
Regularly back up files on both the client
computers and servers. Either back up the
files when the computers are offline or use a
system that networked computers and
servers can’t write to.
If you don't have dedicated backup software,
you can copy important files to a removable
media. Be sure to eject and unplug the
removable media when you're done.
If you pay the ransom:
● There’s no guarantee that the attacker will supply a
method to unlock your computer or decrypt your files.
● The attacker will likely use your ransom money to fund
attacks against other users.
Don’t pay the ransom.
New definitions are likely to detect and remediate the
ransomlockers.
Symantec Endpoint Protection Manager automatically
downloads virus definitions to the client, as long as
the client is managed and connected to the
Symantec Endpoint Protection Manager.
Secure them with a password and
access control restrictions.
Use read-only access for files on
network drives, unless it’s absolutely
necessary to have write access for these
files. Restricting user permissions limits
which files the threats can encrypt.
As with other security products, Symantec Endpoint Protection
cannot decrypt the files that ransomlockers
have sabotaged.
Attacking exploit kits can’t exploit
vulnerabilities that have been patched.
Historically, attacks were delivered
through phishing and web browsers.
In the future, it’s likely we’ll see more
attacks delivered through vulnerable
web applications, such as JBOSS,
WordPress, and Joomla.
Do this before the ransomware can attack
accessible network drives.
Use Symantec Endpoint
Protection (SEP) Manager
If you can identify the malicious
email or executable, submit it to
Symantec Security Response:
Symantec.com/security_response
These samples enable Symantec to
create new signatures and improve
defenses against ransomware.
Submit the malware
to Security Response.
Isolate the
infected computer.
Restore damaged
files from a known
good backup.
Protection Against
Ransomware
All-Ransomware Crypto-Ransomware Crypto-Ransomware as % of All Ransomware
DECNOVOCTSEPAUGJULJUNMAYMARJAN APRFEB2015
0%
100%
50%
Steps for
preventing
ransomware
0%
FakeAV Crypto-RansomwareLockersMisleading Apps
100%
Crypto- Ransomware as
Percentage of All Ransomware
Although the chart indicates a steady decline in
traditional ransomware in 2015, crypto-ransomware
now accounts for the majority of all ransomware.
Pay Ransom PurchaseBack
’07’06’05 ’08 ’09 ’10 ’11 ’12 ’13 ’14 ’15
Back up your computers
and servers regularly.
Lock down mapped
network drives.
IPS blocks some threats that traditional virus
definitions alone cannot stop.
SONAR provides real-time protection, using
heuristics and reputation data, to detect
emerging and unknown threats.
Insight quarantines questionable files that
haven’t been proven safe yet by the
Symantec customer base.
Deploy and enable
all Symantec Endpoint
Protection technologies.
Ransomware threats are often spread through
spam emails that contain malicious
attachments. Scanning inbound emails for
threats with a dedicated mail security product
or service is critical to keep ransomware and
other malware out of your organization.
For more information, see:
Symantec.com/connect/articles/support-
perspective-w97mdownloader-battle-plan
Use an email security
product to handle
email safely.
Download the latest
patches and plug-ins.
How do I remove ransomware?
In almost all cases, ransomware encryption can’t be broken.
If your client computers get infected with ransomware and
your data is encrypted, follow the steps below.
DOWNLOAD THE FULL REPORT