Ransomware Protection Overview

Compatibility

Overview

Ransomware is a type of malicious software that is designed to block access to a computer system until a sum of money is paid. CTE for supports detection of Ransomware and protection of sensitive data from Ransomware.

CTE Agent monitors volumes and looks for processes that perform suspicious behavior such as processes that try to encrypt files or open thousands of files. If a process displays suspicious behavior, then it is either audited, which means it is flagged in a log file, or it is blocked. The action taken is pre-configured by the user in the profile linked to the client.

Licensing

Ransomware Protection is supported with RWP-enabled CTE clients. A CTE for Ransomware Protection license must be activated on the CipherTrust Manager to register an RWP-enabled CTE client. Refer to CTE Licensing Model for details.

Protecting Non-Sensitive Data

Use the Ransomware Protection mode to protect systems that do not contain sensitive data, but have access to your network.

A use case of this scenario is when you have users with laptops who frequently use your network and access servers on it, but they do not have any sensitive data locally on their laptops. A system like this might belong to a salesperson who travels and frequently uses other networks to access the internet. When such users log on to your network, they access the sales network server and upload data to it. They could easily pick up a Ransomware from another network and accidentally upload it to your company's network. Using the Ransomware Protection mode would protect the data on the local volumes, mounted volumes, and the network servers from being infected with Ransomware.

Protecting Sensitive Data

The Ransomware Protection mode protects data on servers and endpoints from Ransomware attacks by auditing and blocking malicious IPs. Users can strengthen the security posture with CTE access and encryption policies and Ransomware protection for complete control on their data.

To protect sensitive data against Ransomware:

1. Ensure that the CTE Ransomware Protection license is activated and available on the CipherTrust Manager. Refer to CTE Licensing Model for details.

2. Install the CTE Agent with the Ransomware Protection capability enabled. The Ransomware Protection support uses the same registration process as CTE clients. Refer to Configuring CTE with CipherTrust Manager for information on installing and configuring CTE Agents.

3. Configure the Ransomware Protection settings in the linked client profile. Refer to Setting Ransomware Protection Configuration for details.

4. Create a Ransomware Protection GuardPoint on a volume (Windows)|directory (Linux) and on the directory for Linux to be protected. Refer to the Creating Ransomware GuardPoints for details.

CTE Registration

During CTE registration with CipherTrust Manager, the following question displays:

Do you want this host to have Filesystem encryption support enabled on the server?  (Y/N) [Y]:
Do you want this host to have Ransomware Protection support enabled on the server?  (Y/N) [N]

CTE Ransomware Protection can support the following protection modes:

• Filesystem protection (CTE)

  Allows you to protect and encrypt files with policies without Ransomware Protection. (Available if you answer Y to the first question.)

• Ransomware Protection (RWP)

  CTE is deployed to monitor volumes (Windows)|GuardPoints (Linux), for suspicious behavior from processes, and supports auditing or blocking of the processes while file encryption and protection is not supported. (Available if you answer Y to the second question.)

• Filesystem and Ransomware Protection (CTE-RWP)

  Protects GuardPoints from Ransomware and allows you to protect and encrypt CTE files with policies. Therefore, all types of GuardPoints are available. (Available if you answer Y to both questions.)

Use Ransomware Protection GuardPoints to monitor or block Ransomware access attempts to a protected GuardPoints on the CTE clients. Note that if the GuardPoint type is "Ransomware Protection Only", Ransomware Protection GuardPoint does not require any policy.

Locking the System after a Ransomware Attack

After enabling Ransomware Protection during installation, turn on the agent lock and the system lock in CipherTrust Manager. The Agent lock protects the CTE Agent files from modification and deletion. The System lock protects a system files from modification and deletion. Agent Lock automatically enables when System Lock enables. You can manually enable or disable the Agent Lock only when the System Lock is disabled.

Make sure that no one is currently accessing the Agent installation directories while applying the locks.

To apply the locks:

1. In CipherTrust Manager, open the Transparent Encryption application.

2. Click on the Client Name or Client Group Name.

3. On the lock bar, click Agent Lock.

   

4. Click System Lock.

   

5. Click Apply.

Reference Information

• Setting Client Locks

Disabling Ransomware Protection

To disable Ransomware Protection for all GuardPoints on the clients linked with a profile.

1. In CipherTrust Manager, open the Transparent Encryption application.

2. In the left pane, click Settings > Profiles.

3. Under Name, click the desired profile.

4. Expand RANSOMWARE PROTECTION CONFIGURATION.

5. Select the Operation to Disable.

6. Click Update.