Ransomware Protection Overview
Compatibility
Operating System | CipherTrust Manager version |
---|---|
Ransomware Protection for Windows | v2.12 and subsequent versions |
Ransomware Protection for Linux | v2.17 and subsequent versions |
Overview
Ransomware is a type of malicious software that is designed to block access to a computer system until a sum of money is paid. CTE for supports detection of Ransomware and protection of sensitive data from Ransomware.
CTE Agent monitors volumes and looks for processes that perform suspicious behavior such as processes that try to encrypt files or open thousands of files. If a process displays suspicious behavior, then it is either audited, which means it is flagged in a log file, or it is blocked. The action taken is preconfigured by the user in the profile linked to the client.
Licensing
Ransomware Protection is supported with RWP-enabled CTE clients. A CTE for Ransomware Protection license must be activated on the CipherTrust Manager to register an RWP-enabled CTE client. Refer to CTE Licensing Model for details.
Protecting Non-Sensitive Data
Use the Ransomware Protection mode to protect systems that do not contain sensitive data, but have access to your network.
A use case of this scenario is when you have users with laptops who frequently use your network and access servers on it, but they do not have any sensitive data locally on their laptops. A system like this might belong to a salesperson who travels and frequently uses other networks to access the internet. When such users log on to your network, they access the sales network server and upload data to it. They could easily pick up a Ransomware from another network and accidentally upload it to your company's network. Using the Ransomware Protection mode would protect the data on the local volumes, mounted volumes, and the network servers from being infected with Ransomware.
Protecting Sensitive Data
The Ransomware Protection mode protects data on servers and endpoints from Ransomware attacks by auditing and blocking malicious IPs. Users can strengthen the security posture with CTE access and encryption policies and Ransomware protection for complete control on their data.
To protect sensitive data against Ransomware:
-
Ensure that the CTE Ransomware Protection license is activated and available on the CipherTrust Manager. Refer to CTE Licensing Model for details.
-
Install the CTE Agent with the Ransomware Protection capability enabled. The Ransomware Protection support uses the same registration process as CTE clients. Refer to Configuring CTE with CipherTrust Manager for information on installing and configuring CTE Agents.
-
Configure the Ransomware Protection settings in the linked client profile. Refer to Setting Ransomware Protection Configuration for details.
-
Create a Ransomware Protection GuardPoint on a volume (Windows)|directory (Linux) and on the directory for Linux to be protected. Refer to the Creating Ransomware GuardPoints for details.
CTE Registration
During CTE registration with CipherTrust Manager, the following question displays:
If you are planning to use Ransomware Protection, type Y.
Do you want this host to have Ransomware protection support enabled on the server? (Y/N) [N]
CTE Ransomware Protection can support the following protection modes:
-
Filesystem protection (CTE)
Allows you to protect and encrypt files with policies without Ransomware Protection.
-
Ransomware Protection (RWP)
CTE is deployed to monitor volumes (Windows)|GuardPoints (Linux), for suspicious behavior from processes, and supports auditing or blocking of the processes.
-
Filesystem and Ransomware Protection (CTE-RWP)
Protects GuardPoints from Ransomware and allows you to protect and encrypt CTE files with policies.
Use Ransomware Protection GuardPoints to monitor or block Ransomware access attempts to a protected GuardPoints on the CTE clients. Note that if the GuardPoint type is "Ransomware Protection Only", Ransomware Protection GuardPoint does not require any policy.
Locking the System after a Ransomware Attack
After enabling Ransomware Protection during installation, turn on the agent lock and the system lock in CipherTrust Manager. The Agent lock protects the CTE Agent files from modification and deletion. The System lock protects a system files from modification and deletion. Agent Lock automatically enables when System Lock enables. You can manually enable or disable the Agent Lock only when the System Lock is disabled.
Make sure that no one is currently accessing the Agent installation directories while applying the locks.
To apply the locks:
-
In CipherTrust Manager, open the Transparent Encryption application.
-
Click on the Client Name or Client Group Name.
-
On the lock bar, click Agent Lock.
-
Click System Lock.
-
Click Apply.
Windows Volume Shadow Copies
Ransomware Protection now detects and prevents deletion of Windows Volume Shadow Copies. The Volume Shadow Copy service is a built-in Windows feature that allows for the creation of backup snapshots of computer files, or disks, and often facilitates other commercial backup solutions. Most ransomware threats normally try to delete the volume shadow copies in order to prevent a healthy recovery from a Ransomware-infected system. Starting from CTE 7.7, deletion of volume shadow copies is prevented if CTE flags the presence of one or more malicious processes on the entire system. This will allow customers to recover their systems if infected by ransomware.
Reference Information
Disabling Ransomware Protection
To disable Ransomware Protection for all GuardPoints on the clients linked with a profile.
-
Open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Under Name, click the desired profile.
-
Expand RANSOMWARE PROTECTION CONFIGURATION.
-
Select the Operation to Disable.
-
Click Update.