Ransomware Protection
Note
The Ransomware Protection (RWP) feature is applicable to CTE for Windows clients.
Ransomware is a type of malicious software that is designed to block access to a computer system until a sum of money is paid. CTE for Windows Agent supports detection of Ransomware and protection of sensitive data from Ransomware.
CTE Agent monitors the volumes, analyzes the data, and looks for processes that might perform suspicious activities on the sensitive data. Examples of such processes are processes that try to encrypt files, open thousands of files, or change permissions on files. If a process displays suspicious behavior, then it is either blocked or audited (that is, flagged in a log file). The action taken is preconfigured by the CTE administrator in the profile linked to the client.
Licensing
Ransomware Protection is supported with RWP-enabled CTE for Windows clients. A CTE for Ransomware Protection license must be activated on the CipherTrust Manager to register an RWP-enabled CTE client. Refer to CTE Licensing Model for details.
Protection Modes
Based on the enabled capabilities, CTE clients can support the following protection modes:
Filesystem Protection (CTE): Allows you to protect and encrypt CTE files with policies.
Ransomware Protection Only (RWP): CTE is deployed to monitor volumes for suspicious behavior from processes, and supports auditing or blocking of the processes.
Both filesystem and Ransomware Protection (CTE RWP): Protects volumes from Ransomware and allows you to protect and encrypt CTE files with policies.
Use the Ransomware Protection GuardPoints to monitor or block Ransomware access attempts to the sensitive data stored on volumes on the CTE clients. A Ransomware Protection GuardPoint does not require any protection policies.
Protecting Non-Sensitive Data
Use the Ransomware Protection mode to protect systems that do not contain sensitive data, but have access to your network.
A use case of this scenario is when you have users with laptops who frequently use your network and access servers on it, but they do not have any sensitive data locally on their laptops. A system like this might belong to a salesperson who travels and frequently uses other networks to access the internet. When such users log on to your network, they access the sales network server and upload data to it. They could easily pick up a Ransomware from another network and accidentally upload it to your company's network. Using the Ransomware Protection mode would protect the data on the local volumes, mounted volumes, and the network servers from being infected with Ransomware.
Protecting Sensitive Data
The Ransomware Protection mode protects data on servers and endpoints from Ransomware attacks by auditing and blocking malicious IPs. Users can strengthen the security posture with CTE access and encryption policies and Ransomware protection for complete control on their data.
To protect sensitive data against Ransomware:
Ensure that the CTE Ransomware Protection license is activated and available on the CipherTrust Manager. Refer to CTE Licensing Model for details.
Install the CTE for Windows Agent with the Ransomware Protection capability enabled. The Ransomware Protection support uses the same registration process as CTE clients. Refer to Installing and Registering CTE for information on installing and configuring CTE Agents.
Configure the Ransomware Protection settings in the linked client profile. Refer to Setting Ransomware Protection Configuration for details.
Create a Ransomware Protection GuardPoint on the volume to be protected. Refer to the Creating Ransomware GuardPoints for details.
Disabling Ransomware Protection
To disable Ransomware Protection for all GuardPoints on the clients linked with a profile.
Open the Transparent Encryption application.
In the left pane, click Settings > Profiles.
Under Name, click the desired profile.
Expand RANSOMWARE PROTECTION CONFIGURATION.
Select the Operation to Disable.
Note
When you change the operation to Disable in a profile, Ransomware Protection for all GuardPoints on the linked clients is disabled.
When you change the profile of a client to another profile with the operation set to Disable, Ransomware Protection for all GuardPoints on the client is disabled.
Click Update.