Most ransomware works by encrypting all documents on an infected client. The ransomware then demands that the user pay a ransom in order to decrypt the data.
Using Ivanti Security Suite, security administrators can define a rule that protects all documents (and other file types) on the client from being encrypted by any type of ransomware.
By restricting the ability to modify and create DOC, DOCX, XLS, XLSX, PPT and PPTX documents only to Microsoft Word, Microsoft Excel and Microsoft PowerPoint respectively, no 3rd party application including ransomware can change or encrypt those files. Please be aware, this includes 3rd party applications that are not harmful and may need to have access to these files. Examples of this would be Antivirus software, Sharepoint, OneDrive, Dropbox and other files that have a legitimate reason to access these files. You may need to grant access to all of these other programs as well which may mean spending considerable time administering and configuring these options.
Please also be aware that you can accomplish the same goal using Application Control. Programs that are not on your trusted file list or approved digitally signed vendor list would not be allowed to run. This would include malware.
In case the user mistakenly runs a file containing ransomware on his/her device, the ransomware will not be able to encrypt any of those files ensuring that corporate content is safe.
In order to create an Agent policy that protects against ransomware, please complete the following steps:
Create rule to give Microsoft Word rights to open, create, and modify documents
- Under Agent Settings -> Security -> Endpoint Security -> Application Control
- Create a New Policy or Edit an existing one.
- On the Application Control settings window, choose the File Protection Rules tab.
- Click the Add button to add a new Protection Rule.
- Set the rule to allow windword.exe to modify *.doc and *.doc
- Under Monitored Programs set the program name to Winword.exe
- In Protected Files, set file names to .doc and .docx
- Ensure all permissions are allowed (un-checked)
Create rule to deny modification to *.DOC and *.DOCX
- Under Monitored Programs select the radio button All Programs if it is not already selected.
- In Protected Files, set file name to .DOC and .DOCX
- Ensure that Creation is NOT checked.
- Since the file protection module honors rules based on their order, WinWord.exe will be allowed to work with .DOC and .DOCX files, however other programs will not be allowed to modify .DOC and .DOCX files.
- Add as many rules are required to protect your other rules. For example, add another rule to only allow Excel to modify .XLS and .XLSX files followed by a rule that prevents any file from modifying XLS and XLSX files.
- After an attack a screen similar to the following may appear:
If the user powers off the workstation before clicking on the APPLY button, the screen may appear after reboot. The user will need to click on the apply button and reboot the workstation. This will remove the file from the Windows startup process and return the computer to normal boot. At this point, any important data should be moved from the device.
The device may become more and more likely to get to get infected with malware and still be compromised. In that case, the workstation should be re-imaged using Ivanti EPM Provisioning.
Ivanti Provisioning - OS provisioning and OS migration
Capture and deploy operating systems and profiles. Provides a template-driven process to deploy operating systems using hardware-independent imaging, driver management, and integrated software delivery.
- In the Ivanti EPM console, navigate to the Provisioning tool group, then to OS Provisioning.
- Select the provisioning template that would include the following: migration user profile, the corporate gold image , Mapped Software (This will install software that was previously on the device), and the Patch System action in order to patch the device to the production baseline.
If something has happened and the device will not boot normally, it may be necessary to either pull the hard drive, or put the device on an isolated network, map a drive to the infected device and pull any documents needed off the device. At this point, it will be necessary to reimage the device to bring it back to a known good state.
As part of Ivanti Security Suite, we have the ability to block malware from modifying important documents and hold them for ransom. By following the above steps, this will help you protect your environment.