I have watched the video provided here and found that the user who is running showing the ChineseRarypt is a bat file, doesn't seem to be actual ransomware.
As you mentioned, it just deletes the images from my picture folder. It didn't encrypt the any of the folders under C drive
Also, the person who has captured the video has put the exception for processhacker.exe and iobitunlocker.exe in the setting.
Until we have any sample of this, we can't say whether it was actual ransomware and It was not utilizing process hacker or any excluded utilities.
Regards,
Jasmin
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Thank you for both the videos. I am not aware of how Kaspersky works for ransomware detection.
But in general, ransomware gets detected by the AVs when there is a rapid change in the header, name of the files and etc.
Also, as ZoneAlarm restored the files after clicking on repair if Sophos detects ransomware attack, it replaces the number of encrypted files(which could be very less) before attack was detected with the original file without any option for repair.
Regards,
Jasmin
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Thank you for both the videos. I am not aware of how Kaspersky works for ransomware detection.
But in general, ransomware gets detected by the AVs when there is a rapid change in the header, name of the files and etc.
Also, as ZoneAlarm restored the files after clicking on repair if Sophos detects ransomware attack, it replaces the number of encrypted files(which could be very less) before attack was detected with the original file without any option for repair.
Regards,
Jasmin
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link