This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ransomware Simulation Too (simulation of real ransomware and cryptomining infections)

Hi,

We ran a ransomware simulation tool on our network to test some infection scenarios and found that our Sophos anti-virus did not pickup the following varieties:

Collaborator

Encrypts files similarly to a common version of Critroni. However, it relies on different processes for file enumeration, movement and deletion.                             

Injector    

Encrypts files by injecting the encryption code into a legitimate process using a common approach.                          

ReflectiveInjector          

Encrypts files by injecting the encryption code into a legitimate process using an advanced approach.                          

SlowCryptor        Simulates the behavior of a ransomware variant that encrypts files slowly, to avoid detection by security products.     



This thread was automatically locked due to age.
Parents
  • The challenge is that RanSim is a simulation, specifically one that isn't always faithful to how real-world ransomware works. There may be methods that ransomware could hypothetically use (but typically doesn't in the real world) that CryptoGuard in Intercept X doesn't block. In a real world situation, a lot of other layers of Intercept X would come into play: web protection, machine learning, reputation, etc. But, since we're allowing RanSim itself to run (it's a simulator, not malware), we're limited to evaluating its behaviors and trying to decide if they look like real malware. In some cases, they don't.

  • Is it possible to verify that Sophos can protect against all know versions of ransomware?

  • It would be very difficult to say "all known versions of ransomware". This is constantly changing...but something they are certainly aiming for. Perhaps you could "test" in a lab environment :-)

Reply Children