This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ransomware Simulation Too (simulation of real ransomware and cryptomining infections)

Hi,

We ran a ransomware simulation tool on our network to test some infection scenarios and found that our Sophos anti-virus did not pickup the following varieties:

Collaborator

Encrypts files similarly to a common version of Critroni. However, it relies on different processes for file enumeration, movement and deletion.                             

Injector    

Encrypts files by injecting the encryption code into a legitimate process using a common approach.                          

ReflectiveInjector          

Encrypts files by injecting the encryption code into a legitimate process using an advanced approach.                          

SlowCryptor        Simulates the behavior of a ransomware variant that encrypts files slowly, to avoid detection by security products.     



This thread was automatically locked due to age.
Parents Reply Children
  • My assumption is that CryptoGuard has to be mindful of legitimate encryption processes as well. Encryption doesn't always mean malware. If CryptoGuard flagged every encryption attempt we would have many issues. Im curious what exactly the ReflectiveInjector is doing. If there was more insight into this we could see what can be done to help Sophos better detect this technique.