Endpoint Protection

Hi Everyone. We are facing a ransomware in our network and it has infected couple of PCs, all the files format was changed and the files extension changed to filename.vpsh or filename.jdyi and we are concerned about the spread of the virus to all PCs in our network .

We have SEP deployed and we were expecting that it will be detected.



------------------------------
Symantec Enthusiast
------------------------------

This is one of those issues that is very time sensitive and critical. Due to the nature of forums, I don't think you'll get the help you need quickly enough and would definitely open a Sev 1 case with our Support team for assistance.

Here's the web page for opening a case via the Broadcom Support portal or by phone:
https://support.broadcom.com/contact-support.html
Original Message:
Sent: 11-19-2020 03:48 PM
From: sulman mushaq
Subject: Ransomware Issue (Critical)

Hi Everyone. We are facing a ransomware in our network and it has infected couple of PCs, all the files format was changed and the files extension changed to filename.vpsh or filename.jdyi and we are concerned about the spread of the virus to all PCs in our network .

We have SEP deployed and we were expecting that it will be detected.



------------------------------
Symantec Enthusiast
------------------------------

Open a ticket. Got response that we can only assist with product defects. Contact Broadcom consulting services for configuration assistance. 

Does SEP detect JDYI ransomware?

------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 11-19-2020 04:10 PM
From: Blake Thomas
Subject: Ransomware Issue (Critical)

This is one of those issues that is very time sensitive and critical. Due to the nature of forums, I don't think you'll get the help you need quickly enough and would definitely open a Sev 1 case with our Support team for assistance.

Here's the web page for opening a case via the Broadcom Support portal or by phone:
https://support.broadcom.com/contact-support.html
Original Message:
Sent: 11-19-2020 03:48 PM
From: sulman mushaq
Subject: Ransomware Issue (Critical)

Hi Everyone. We are facing a ransomware in our network and it has infected couple of PCs, all the files format was changed and the files extension changed to filename.vpsh or filename.jdyi and we are concerned about the spread of the virus to all PCs in our network .

We have SEP deployed and we were expecting that it will be detected.



------------------------------
Symantec Enthusiast
------------------------------

It seems we do detect some variants of the DJVU ransomware, but if you had SEP installed and configured correctly to stop ransomware and it came through still, you should submit a sample to the analysis team:
https://symsubmit.symantec.com/

Did these machines have SEP installed?

Isolate these affected machines if you have not already done so as you do not want this spreading through you network.
Original Message:
Sent: 11-19-2020 04:19 PM
From: sulman mushaq
Subject: Ransomware Issue (Critical)

Open a ticket. Got response that we can only assist with product defects. Contact Broadcom consulting services for configuration assistance.

Does SEP detect JDYI ransomware?

------------------------------
Symantec Enthusiast

Original Message:
Sent: 11-19-2020 04:10 PM
From: Blake Thomas
Subject: Ransomware Issue (Critical)

This is one of those issues that is very time sensitive and critical. Due to the nature of forums, I don't think you'll get the help you need quickly enough and would definitely open a Sev 1 case with our Support team for assistance.

Here's the web page for opening a case via the Broadcom Support portal or by phone:
https://support.broadcom.com/contact-support.html
Original Message:
Sent: 11-19-2020 03:48 PM
From: sulman mushaq
Subject: Ransomware Issue (Critical)

Hi Everyone. We are facing a ransomware in our network and it has infected couple of PCs, all the files format was changed and the files extension changed to filename.vpsh or filename.jdyi and we are concerned about the spread of the virus to all PCs in our network .

We have SEP deployed and we were expecting that it will be detected.



------------------------------
Symantec Enthusiast
------------------------------

Hi,

If Bloodhound and/or Sonar were active it would probably been blocked. It also depends on other settings (Exclusions etc). These should not be discussed in public though. You can send me a private message.
Original Message:
Sent: 11-19-2020 03:48 PM
From: sulman mushaq
Subject: Ransomware Issue (Critical)

Hi Everyone. We are facing a ransomware in our network and it has infected couple of PCs, all the files format was changed and the files extension changed to filename.vpsh or filename.jdyi and we are concerned about the spread of the virus to all PCs in our network .

We have SEP deployed and we were expecting that it will be detected.



------------------------------
Symantec Enthusiast
------------------------------

Original Message:
Sent: 11-19-2020 03:48 PM
From: sulman mushaq
Subject: Ransomware Issue (Critical)

Hi Everyone. We are facing a ransomware in our network and it has infected couple of PCs, all the files format was changed and the files extension changed to filename.vpsh or filename.jdyi and we are concerned about the spread of the virus to all PCs in our network .

We have SEP deployed and we were expecting that it will be detected.



------------------------------
Symantec Enthusiast
------------------------------

Thank you so much for helping. this information is very comprehensive no any other further detail needed.
Original Message:
Sent: 11-20-2020 04:24 PM
From: Mithun Sanghavi
Subject: Ransomware Issue (Critical)

Hello

Below are the steps on How to remove ransomware:

There is no ransomware removal tool or CryptoLocker removal tool. Instead, if your client computers do get infected with ransomware and your data is encrypted, follow these steps:

1. Do not pay the ransom. If you pay the ransom:
   There is no guarantee that the attacker will supply a method to unlock your computer or decrypt your files.
   The attacker uses the ransom money to fund additional attacks against other users.
2. Isolate the infected computer before the ransomware can attack network drives to which it has access.
3. Use Symantec Endpoint Protection Manager to update the virus definitions and scan the client computers. 
   New definitions are likely to detect and remediate the ransomware. 

   Symantec Endpoint Protection Manager automatically downloads virus definitions to the client, as long as the client is managed and connected to the 

   Symantec Endpoint Protection Manager.
   In Symantec Endpoint Protection Manager, click Clients, right-click the group, and click Run a command on the group > Update Content and Scan
   Restore damaged files from a known good backup.
4.  As with other security products, Symantec Endpoint Protection cannot decrypt the files that ransomlockers have sabotaged.
5. Submit the malware to Symantec Security Response.
   If you can identify the malicious email or executable, submit it to Symantec Security Response. These samples enable Symantec to create new signatures and improve defenses against ransomware. 
   Symantec Insider Tip: Successful Submissions!
   

For more information

• For major ransomware incidents, engage the Symantec Global Incident Response team. They can help you validate that you have been attacked and help you to decide what to do next. See:
  10 Ways Symantec Incident Response Can Help with Ransomware
  For help with an incident now:
  Email: incidentresponse@accenture.com
  Incident Response Hotline:  (855) 378-0073
  

  • Additional information about Ransomware threats

  
  Hope that helps!!

Original Message:
Sent: 11-19-2020 03:48 PM
From: sulman mushaq
Subject: Ransomware Issue (Critical)

Hi Everyone. We are facing a ransomware in our network and it has infected couple of PCs, all the files format was changed and the files extension changed to filename.vpsh or filename.jdyi and we are concerned about the spread of the virus to all PCs in our network .

We have SEP deployed and we were expecting that it will be detected.



------------------------------
Symantec Enthusiast
------------------------------