This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Home Premium vs Ransomware [Failed]

I have just watched a video of Sophos Home Premium vs a ransomware called “ChineseRarypt.” This ransomware itself has very little information and I cannot find any information on it other than it deletes files rather than encrypts them. The YouTuber has tested other AV’s against this ransomware including Panda, Bitdefender, and Kaspersky. Kaspersky’s System Watcher failed to protect against this, and so did Bitdefender’s Advanced Threat Defense And Folder Protection. Now, it seems Sophos Home Premium, which includes Intercept X, had been bypassed as well. I cannot provide a sample, but I will post the video. Hopefully, staff can take a look at this incident. https://youtu.be/hBFB997WKBg


This thread was automatically locked due to age.
Parents
  • Hi  

    I have watched the video provided here and found that the user who is running showing the ChineseRarypt is a bat file, doesn't seem to be actual ransomware.

    As you mentioned, it just deletes the images from my picture folder. It didn't encrypt the any of the folders under C drive

    Also, the person who has captured the video has put the exception for processhacker.exe and iobitunlocker.exe in the setting.

    Until we have any sample of this, we can't say whether it was actual ransomware and It was not utilizing process hacker or any excluded utilities.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • I don't know if this will help any, but in the Kaspersky video, which I will link, the supposed ransomware does go through its malicious actions, but Kaspersky does detect it in the end when it tries to embed itself into startup. Kaspersky gave the option to initiate rollback and disinfection, but the procedure couldn't roll back everything, including the "encryption." https://youtu.be/pwIej9duBhw On another note, the fact that this batch file only deleted files is a valid concern for suspicion that this may not be actual ransomware. But upon looking at his other videos, another ransomware works this way. MirCop ransomware encrypts then deleted files during its attack. In a video I will link, it is tested against ZoneAlarm Anti-Ransomware where the product succeeds. https://youtu.be/ENAClP0-YZY
Reply
  • I don't know if this will help any, but in the Kaspersky video, which I will link, the supposed ransomware does go through its malicious actions, but Kaspersky does detect it in the end when it tries to embed itself into startup. Kaspersky gave the option to initiate rollback and disinfection, but the procedure couldn't roll back everything, including the "encryption." https://youtu.be/pwIej9duBhw On another note, the fact that this batch file only deleted files is a valid concern for suspicion that this may not be actual ransomware. But upon looking at his other videos, another ransomware works this way. MirCop ransomware encrypts then deleted files during its attack. In a video I will link, it is tested against ZoneAlarm Anti-Ransomware where the product succeeds. https://youtu.be/ENAClP0-YZY
Children
  • Hi  

    Thank you for both the videos. I am not aware of how Kaspersky works for ransomware detection.

    But in general, ransomware gets detected by the AVs when there is a rapid change in the header, name of the files and etc.

    Also, as ZoneAlarm restored the files after clicking on repair if Sophos detects ransomware attack, it replaces the number of encrypted files(which could be very less) before attack was detected with the original file without any option for repair. 

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link