Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Ransomware Protection

Ransomware Protection Overview

search

Please Note:

printsuggest an editpdf paneldownload

Ransomware Protection Overview

copy link to clipboardCompatibility

Operating System CipherTrust Manager version
Ransomware Protection for Windows v2.12 and subsequent versions
Ransomware Protection for Linux v2.17 and subsequent versions

copy link to clipboardOverview

Ransomware is a type of malicious software that is designed to block access to a computer system until a sum of money is paid. CTE for supports detection of Ransomware and protection of sensitive data from Ransomware.

CTE Agent monitors volumes and looks for processes that perform suspicious behavior such as processes that try to encrypt files or open thousands of files. If a process displays suspicious behavior, then it is either audited, which means it is flagged in a log file, or it is blocked. The action taken is pre-configured by the user in the profile linked to the client.

copy link to clipboardLicensing

Ransomware Protection is supported with RWP-enabled CTE clients. A CTE for Ransomware Protection license must be activated on the CipherTrust Manager to register an RWP-enabled CTE client. Refer to CTE Licensing Model for details.

copy link to clipboardProtecting Non-Sensitive Data

Use the Ransomware Protection mode to protect systems that do not contain sensitive data, but have access to your network.

A use case of this scenario is when you have users with laptops who frequently use your network and access servers on it, but they do not have any sensitive data locally on their laptops. A system like this might belong to a salesperson who travels and frequently uses other networks to access the internet. When such users log on to your network, they access the sales network server and upload data to it. They could easily pick up a Ransomware from another network and accidentally upload it to your company's network. Using the Ransomware Protection mode would protect the data on the local volumes, mounted volumes, and the network servers from being infected with Ransomware.

copy link to clipboardProtecting Sensitive Data

The Ransomware Protection mode protects data on servers and endpoints from Ransomware attacks by auditing and blocking malicious IPs. Users can strengthen the security posture with CTE access and encryption policies and Ransomware protection for complete control on their data.

To protect sensitive data against Ransomware:

  1. Ensure that the CTE Ransomware Protection license is activated and available on the CipherTrust Manager. Refer to CTE Licensing Model for details.

  2. Install the CTE Agent with the Ransomware Protection capability enabled. The Ransomware Protection support uses the same registration process as CTE clients. Refer to [Configuring CTE with CipherTrust Manager](({filename}/pages/user-manuals/cte-qsgs/index.html) for information on installing and configuring CTE Agents.

  3. Configure the Ransomware Protection settings in the linked client profile. Refer to Setting Ransomware Protection Configuration for details.

  4. Create a Ransomware Protection GuardPoint on a volume (Windows)|directory (Linux) and on the directory for Linux to be protected. Refer to the Creating Ransomware GuardPoints for details.

copy link to clipboardCTE Registration

During CTE registration with CipherTrust Manager, the following question displays:

Do you want this host to have Filesystem encryption support enabled on the server?  (Y/N) [Y]:
Do you want this host to have Ransomware Protection support enabled on the server?  (Y/N) [N]

CTE Ransomware Protection can support the following protection modes:

  • Filesystem protection (CTE)

    Allows you to protect and encrypt files with policies without Ransomware Protection. (Available if you answer Y to the first question.)

  • Ransomware Protection (RWP)

    CTE is deployed to monitor volumes (Windows)|GuardPoints (Linux), for suspicious behavior from processes, and supports auditing or blocking of the processes while file encryption and protection is not supported. (Available if you answer Y to the second question.)

  • Filesystem and Ransomware Protection (CTE-RWP)

    Protects GuardPoints from Ransomware and allows you to protect and encrypt CTE files with policies. Therefore, all types of GuardPoints are available. (Available if you answer Y to both questions.)

Use Ransomware Protection GuardPoints to monitor or block Ransomware access attempts to a protected GuardPoints on the CTE clients. Note that if the GuardPoint type is "Ransomware Protection Only", Ransomware Protection GuardPoint does not require any policy.

copy link to clipboardLocking the System after a Ransomware Attack

After enabling Ransomware Protection during installation, turn on the agent lock and the system lock in CipherTrust Manager. The Agent lock protects the CTE Agent files from modification and deletion. The System lock protects a system files from modification and deletion. Agent Lock automatically enables when System Lock enables. You can manually enable or disable the Agent Lock only when the System Lock is disabled.

Make sure that no one is currently accessing the Agent installation directories while applying the locks.

To apply the locks:

  1. In CipherTrust Manager, open the Transparent Encryption application.

  2. Click on the Client Name or Client Group Name.

  3. On the lock bar, click Agent Lock.

  4. Click System Lock.

  5. Click Apply.

copy link to clipboardReference Information

copy link to clipboardDisabling Ransomware Protection

To disable Ransomware Protection for all GuardPoints on the clients linked with a profile.

  1. In CipherTrust Manager, open the Transparent Encryption application.

  2. In the left pane, click Settings > Profiles.

  3. Under Name, click the desired profile.

  4. Expand RANSOMWARE PROTECTION CONFIGURATION.

  5. Select the Operation to Disable.

  6. Click Update.

On this page