Ransomware Protection
Ransomware is a type of malicious software that is designed to block access to a computer system until a sum of money is paid. CTE Agent supports detection of Ransomware and protection of sensitive data from Ransomware.
Ransomware Protection is applied at GuardPoint, that is, at volume level for Windows and directory level for Linux. CTE Agent monitors the GuardPoints, analyzes the data, and looks for processes that might perform suspicious activities on the sensitive data. Examples of such processes are processes that try to encrypt files, open thousands of files, or change permissions on files. If a process displays suspicious behavior, then it is either blocked or audited (that is, flagged in a log file). The action taken is preconfigured by the CTE administrator in the profile linked to the client.
Licensing
Ransomware Protection is supported with RWP-enabled CTE clients. A CTE for Ransomware Protection license must be activated on the CipherTrust Manager to register an RWP-enabled CTE client. Refer to CTE Licensing Model for details.
Protection Modes
Based on the capabilities enabled during CTE registration, CTE clients can support the following protection modes:
Filesystem Protection (CTE): Allows you to protect and encrypt CTE files with policies.
Ransomware Protection (RWP) Only: CTE is deployed to monitor GuardPoints for suspicious behavior from processes, and supports auditing or blocking of the processes.
Both filesystem and Ransomware Protection (CTE RWP): Protects GuardPoints from Ransomware and allows you to protect and encrypt CTE files with policies.
Ransomware Protection is available for all types of GuardPoints in the RWP and CTE RWP protection modes.
The RWP protection mode doesn't support CTE file encryption and protection. Therefore, only Ransomware Protection Guardpoints are available in this mode, and these GuardPoints don't require any protection policies.
The CTE RWP protection mode supports both Ransomware Protection and CTE file encryption. Therefore, all types of GuardPoints are available in the CTE RWP protection mode.
Use the Ransomware Protection GuardPoints to monitor or block Ransomware access attempts to the sensitive data stored on the CTE clients.
Protecting Non-Sensitive Data
Use the Ransomware Protection mode to protect systems that don't contain sensitive data, but have access to your network.
A use case of this scenario is when you have users with laptops who frequently use your network and access servers on it, but they do not have any sensitive data locally on their laptops. A system like this might belong to a salesperson who travels and frequently uses other networks to access the internet. When such users log on to your network, they access the sales network server and upload data to it. They could easily pick up a Ransomware from another network and accidentally upload it to your company's network. Using the Ransomware Protection mode would protect the data on the GuardPoints from being infected with Ransomware.
Protecting Sensitive Data
The Ransomware Protection mode protects data on servers and endpoints from Ransomware attacks by auditing and blocking malicious IPs. Users can strengthen the security posture with CTE access and encryption policies and Ransomware protection for complete control on their data.
To protect sensitive data against Ransomware:
Ensure that the CTE Ransomware Protection license is activated and available on the CipherTrust Manager. Refer to CTE Licensing Model for details.
Install the CTE Agent with the Ransomware Protection capability enabled. The Ransomware Protection support uses the same registration process as CTE clients. Refer to Configuring CTE with CipherTrust Manager for information on installing and configuring CTE Agents.
Configure the Ransomware Protection settings in the linked client profile. Refer to Setting Ransomware Protection Configuration for details.
Create a Ransomware Protection GuardPoint on the volume for Windows and on the directory for Linux. Refer to the Creating Ransomware GuardPoints for details.
Disabling Ransomware Protection
To disable Ransomware Protection for all GuardPoints on the clients linked with a profile.
Open the Transparent Encryption application.
In the left pane, click Settings > Profiles.
Under Name, click the desired profile.
Expand RANSOMWARE PROTECTION CONFIGURATION.
Select the Operation to Disable.
Note
When you change the operation to Disable in a profile, Ransomware Protection for all GuardPoints on the linked clients is disabled.
When you change the profile of a client to another profile with the operation set to Disable, Ransomware Protection for all GuardPoints on the client is disabled.
Click Update.