Remove Ransomware and Restore the System

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product., WatchGuard EDR Core This topic applies to the WatchGuard EDR Core, available in the Total Security Suite license.

Features available differ by product. This topic lists features that might not be available in your Endpoint Security product.

Ransomware threats encrypt the content of files found on workstations and servers. The threats then demand a monetary ransom from the targeted company to connect the encrypted information. These threats are extremely dangerous because of the impact they can have on business operations. WatchGuard Endpoint Security includes multiple features to help organizations in both ransomware attack detection and remediation.

• When you enable shadow copies, it makes a daily copy of computer files to a maximum of seven copies. Make sure to recover a clean copy of the encrypted files within seven days after the attack takes place. After seven days, all of the shadow copies are copies of encrypted files. For information about how to configure shadow copies, go to Configure Shadow Copies.
• You can use the Isolate Computers feature to isolate Windows computers affected by a ransomware attack. When you isolate a computer, it could affect the normal operation of the computer. In the case of servers, it could prevent other computers on the network from working correctly. For more information, go to Isolate a Computer (Windows and Mac Computers).
• Verify that the endpoint security software is working on all computers:
  • To confirm the working status of the endpoint security software on your computers, review the Protection Status tile on the dashboard.
  • Reinstall the security software on computers where the protection status is Error.
  • Find computers without security software installed. For more information about how to find unprotected computers, go to Schedule and Run Discovery Computer Tasks.
• Make sure that global audit mode is enabled. For more information, go to Configure Audit Mode.
• Configure advanced protection with these settings:
  • Set Operating Mode to Lock.
  • Set Advanced Security Policies to Block. (Advanced EPDR only)
  • Set the Anti-Exploit Protection to Block.
  • Enable Advanced Code Injection. (Advanced EPDR only)
    For more information, go to Advanced Protection.
• Enable and configure the file antivirus, mail antivirus, and web browsing antivirus to detect all types of threats. For more information, go to Configure Antivirus Scanning.
• Configure anti-tamper protection and set a password to prevent unauthorized uninstallation of the protection software.
  For more information, go to Configure Security Against Tampering.
• Verify that the maximum space for shadow copies is between 10% and 20% to make sure there is sufficient space for copies. For more information, go to Configure Shadow Copies.

To remove ransomware and restore the system:

1. Install patches that fix critical, detected vulnerabilities.
   For more information, go to Review Available Patches.
2. Run an on-demand scan.
   For more information, go to Create a Scheduled Scan Task.
3. Restart affected computers to close any remote connection in progress.
   For more information, go to Restart a Computer (Windows Computers). If the ransomware is still active after the restart, contact WatchGuard technical support.
4. Restore encrypted files on each computer using Windows shadow copies or following your corporate data recovery procedure.
5. Return the security settings you changed to their previous settings.

Related Topics

Configure Per-Computer Settings

Configure Shadow Copies