Ransomware Viruses

What Is Ransomware?

The Definition of Ransomware

Ransomware viruses are defined as a category of malware that sabotages documents and makes them unusable, while allowing the user to continue to access the computer. By definition, ransomware attacks force victims to pay a ransom through specifically noted payment methods after which they may grant the victims access to their data. Unfortunately, ransomware decryption is not possible using removal tools.

Ransomlockers are a related type of malware that prevents users from accessing their devices or data by locking their computer. The victim receives a message that may appear to be from local law enforcement, demanding a "fine" to let victims avoid arrest and to unlock their computers.

Types of Ransomware

Ransomware Types and Definitions

While not an exhaustive list of ransomware virus types, here are a few notable examples and definitions of ransomware.


WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization's network by exploiting a critical vulnerability in Windows computers, which was patched by Microsoft in March 2017 (MS17-010). The exploit, known as Eternal Blue, was released online in April 2017 in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.

WannaCry searches for and encrypts 176 different file types and appends .WCRY to the end of the file name. It asks users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, it claims the encrypted files will be deleted. However, Symantec has not found any code within the ransomware which would cause files to be deleted.


Petya is a Trojan horse ransomware that encrypts files on the compromised computer. Similar to WannaCry, Petya uses the EternalBlue exploit as one of the means to propagate itself. However, it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they have patched against EternalBlue.

How Symantec Products Keep You Safe Against Ransomware

Defense in depth across all control points is required to stop ransomware


Symantec Email Security.cloud, Symantec Messaging Gateway

  • Perform static analysis of malicious indicators within files or documents
  • Detonate potentially malicious scripts in sandbox before email delivery and block if signs of malicious behavior are evident
  • Block malicious links with real-time link following before email delivery and link analysis at click-time post delivery


Symantec Secure Web Gateway Solutions1

  • Block malicious sites including command and control, plus encryption server
  • Analyze files for suspicious behavior from unknown URLs for ransomware activity using multi-layer and live threat feeds
  • Malware analysis looks for ransomware-specific behaviors and detonates unknown files in a sandbox before delivering


Symantec Endpoint Protection 142, ATP: Endpoint (EDR)

  • Advanced machine learning detects polymorphic malware
  • Emulator unpacks evasive malware while behavior analysis uncovers ransomware actions
  • IPS blocks ransomware’s attempt to download encryption keys
  • Isolate endpoints when ransomware is detected to prevent lateral movement
  • Hunt for ransomware IoCs across all endpoints


Symantec Data Center Security: Server Advanced

  • Out-of-the-box IPS rules can prevent ransomware executables from being dropped or executed on the system
  • Customers not using full IPS protections can deploy policies to block specific malware executables
  • Additional rules can be applied to block all in- and outbound SMB traffic
  • Ransomware can also be blocked by adding executable hashes to global no-run lists
Learn More

Symantec 2019 Internet Security Threat Report

Our 123 million sensors record thousands of threat events per second from 157 countries and block 142 million threats daily. Use intel from the world’s largest civilian threat network to your advantage—download ISTR 24 now.


WannaCry: Ransomware attacks show strong links to Lazarus group

Similarities in code and infrastructure indicate close connection to group that was linked to Sony Pictures and Bangladesh Bank attacks.

An Integrated Defense Strategy to Fight Ransomware at Every Attack Point

Symantec's advanced ransomware protection solutions offer integrated defense across ALL control points.

Data Center Security Server Advanced Stops WannaCry

Learn more how Symantec provide protection against WannaCry Ransomware.

WannaCry Ransomware: Top 10 Ways Symantec Incident Response Can Help

How IR can detect, remediate and protect against future ransomware attacks.

WannaCry Ransomware: 6 Implications for the Insurance Industry

This article illustrates the emerging risks that the insurance industry faces when it comes to cyber attacks.

Can files locked by WannaCry be decrypted: A technical analysis

The WannaCry ransomware worm has dominated the global news cycle since it started spreading.

What you need to know about the WannaCry Ransomware

Learn how this ransomware attack spread and how to protect your network from similar attacks.

Symantec protects customers against ransomware through layered defenses across multiple product lines, guarding multiple attack vectors and targets including email, web, endpoints, and data center servers. SONAR behavior detection technology also proactively protects against infections.

Endpoint: Symantec Endpoint Protection and Norton
Symantec Endpoint Protection (SEP) and Norton have blocked any attempt to exploit the vulnerability used by WannaCry since April 24, before WannaCry first appeared, using a combination of technologies. In fact, the Advanced Machine Learning feature alone in SEP proactively blocked all WannaCry infections on day zero, without any updates. All SEP versions including SEP 14, SEP Cloud and SEP Small Business Edition have these automatic protections available against WannaCry. See Details and Recommendations section below for more information.

Email: Symantec Email Security.cloud and Symantec Messaging Gateway
Symantec Email Security.cloud and Symantec Messaging Gateway products provide automatic protection against WannaCry for email-based attacks.

Web: Symantec Secure Web Gateway
Symantec Secure Web Gateway (SWG) blocks access to malicious websites and downloads that might contain ransomware. SWG solutions include ProxySG, WSS, GIN, Content and Malware Analysis, Security Analytics, and SSLV.

Workload: Symantec Data Center Security: Server Advanced
Symantec Data Center Security: Server Advanced (DCS:SA) intrusion prevention policies block WannaCry 'out of the box'. All three levels of Symantec DCS:SA policies; Windows 6.0 (and up) Basic, Hardening, and Whitelisting block the WannaCry ransomware attack from dropping malicious executables onto systems. Customers not deploying full intrusion prevention capabilities can apply targeted intrusion prevention policies to block execution of ransomware.

Note: See the Data Center Security Server ransomware blog post for additional details and instructions.

Endpoint Management: Symantec IT Management Suite
Symantec IT Management Suite (ITMS) provides vulnerability patching and updates for endpoints and data center servers. The Security Update for Microsoft Windows SMB Server (4013389) patch, which protects against WannaCry, was released in March by Microsoft, and ITMS has been supporting it from the same date.

Note: ITMS 7.5 will patch Windows 7/8.1 systems, however ITMS 7.6 or newer is required to patch Windows 10 systems.

Cyber Security Services: Customers can benefit from Symantec's Managed Security Services for monitoring WannaCry alerts and detect ransomware spread within their organization. Symantec can also provide Incident Response Services including readiness, hunting, and response services for WannaCry victims.

View the detailed overview of how Symantec Products protect you from Wannacry and other Ransomware.

Details and recommendations for Symantec Endpoint Protection and Norton customers

Symantec recommends that customers have the following technologies enabled for full proactive protection:

  • Intrusion prevention
  • SONAR behavioral detection technology
  • Advanced machine learning

Note: Symantec Endpoint Protection customers are advised to migrate to SEP 14 to take advantage of the proactive protection provided by advanced machine learning.