Endpoint Protection

Expand all | Collapse all

Ransomware Issue (Critical)

  • 1.  Ransomware Issue (Critical)

    Posted 12 days ago
    Hi Everyone. We are facing a ransomware in our network and it has infected couple of PCs, all the files format was changed and the files extension changed to filename.vpsh or filename.jdyi and we are concerned about the spread of the virus to all PCs in our network .

    We have SEP deployed and we were expecting that it will be detected.



    ------------------------------
    Symantec Enthusiast
    ------------------------------


  • 2.  RE: Ransomware Issue (Critical)

    Broadcom Employee
    Posted 12 days ago
    This is one of those issues that is very time sensitive and critical. Due to the nature of forums, I don't think you'll get the help you need quickly enough and would definitely open a Sev 1 case with our Support team for assistance.

    Here's the web page for opening a case via the Broadcom Support portal or by phone:
    https://support.broadcom.com/contact-support.html


  • 3.  RE: Ransomware Issue (Critical)

    Posted 12 days ago
    Open a ticket. Got response that we can only assist with product defects. Contact Broadcom consulting services for configuration assistance.

    Does SEP detect JDYI ransomware?

    ------------------------------
    Symantec Enthusiast
    ------------------------------



  • 4.  RE: Ransomware Issue (Critical)

    Broadcom Employee
    Posted 12 days ago
    It seems we do detect some variants of the DJVU ransomware, but if you had SEP installed and configured correctly to stop ransomware and it came through still, you should submit a sample to the analysis team:
    https://symsubmit.symantec.com/

    Did these machines have SEP installed?

    Isolate these affected machines if you have not already done so as you do not want this spreading through you network.


  • 5.  RE: Ransomware Issue (Critical)

    Posted 11 days ago
    Hi,

    If Bloodhound and/or Sonar were active it would probably been blocked. It also depends on other settings (Exclusions etc). These should not be discussed in public though. You can send me a private message.


  • 6.  RE: Ransomware Issue (Critical)

    Trusted Advisor
    Posted 11 days ago
    Hello

    Below are the steps on How to remove ransomware:

    There is no ransomware removal tool or CryptoLocker removal tool. Instead, if your client computers do get infected with ransomware and your data is encrypted, follow these steps:
    1. Do not pay the ransom. If you pay the ransom:
      There is no guarantee that the attacker will supply a method to unlock your computer or decrypt your files.
      The attacker uses the ransom money to fund additional attacks against other users.
    2. Isolate the infected computer before the ransomware can attack network drives to which it has access.
    3. Use Symantec Endpoint Protection Manager to update the virus definitions and scan the client computers. 
      New definitions are likely to detect and remediate the ransomware. 
      Symantec Endpoint Protection Manager automatically downloads virus definitions to the client, as long as the client is managed and connected to the 
      Symantec Endpoint Protection Manager.
      In Symantec Endpoint Protection Manager, click Clients, right-click the group, and click Run a command on the group > Update Content and Scan
      Restore damaged files from a known good backup.
    4.  As with other security products, Symantec Endpoint Protection cannot decrypt the files that ransomlockers have sabotaged.
    5. Submit the malware to Symantec Security Response.
      If you can identify the malicious email or executable, submit it to Symantec Security Response. These samples enable Symantec to create new signatures and improve defenses against ransomware. 
    For more information




  • 7.  RE: Ransomware Issue (Critical)

    Posted 8 days ago
    Thank you so much for helping. this information is very comprehensive no any other further detail needed.