This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there any official word from Sophos regarding the RIPlace ransomware threat?

Nyotron is reporting a new strain of ransomware that can bypass most malware protection.

https://www.nyotron.com/blog/nyotron-discovers-potentially-unstoppable-ransomware-evasion-technique-riplace/

I ran their test tool. Intercept-x flagged it as a generic PUA. I made an exception for the PUA and let the test run. The tool was able to successfully encrypt my test files, which to me, indicates that Intercept-X isn't able to block it. I hope that's not the case.

This thread was automatically locked due to age.

Parents

0 DianneY over 4 years ago

Hello JamesGolden

Sophos uses various detection techniques, however without a sample we are not able to confirm if we detect this malware. Please send a sample of the files you have tested to Sophos Labs via our web submission link: https://secure2.sophos.com/en-us/support/submit-a-sample.aspx. From there choose "Submit a sample file" and provide the requested information.

Thank you very much!
Cancel
Vote Up 0 Vote Down

Cancel
0 Matthew Bradley over 3 years ago in reply to DianneY

Not a good look for Sophos when articles like this come out. Seems the "other" guys have taken this thing seriously but Sophos forum gurus still want us to submit samples.

https://www.bleepingcomputer.com/news/security/thanos-ransomware-auto-spreads-to-windows-devices-evades-security/?fbclid=IwAR3AjXON5eOnIw-jDg0f02S_LnFGtxpcI98pB405BmLhkUBNsvjTJ0TilAs
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Matthew Bradley over 3 years ago in reply to DianneY

Not a good look for Sophos when articles like this come out. Seems the "other" guys have taken this thing seriously but Sophos forum gurus still want us to submit samples.

https://www.bleepingcomputer.com/news/security/thanos-ransomware-auto-spreads-to-windows-devices-evades-security/?fbclid=IwAR3AjXON5eOnIw-jDg0f02S_LnFGtxpcI98pB405BmLhkUBNsvjTJ0TilAs
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 StephenMcKay over 3 years ago in reply to Matthew Bradley

Hi Matthew,

If someone is reporting a potential threat, then I think it is fair to request a sample submission; this allows SophosLabs to analyse the file and provide a suitable response as to the threat the file poses and the protection Sophos offers.

In some cases these claims or disclosures relate to a POC; as it does in this case. Sophos do take threats seriously, do not take a lack of an article to mean a lack of attention! We have various blogs, such as SophosLabs Uncut, that write about new and interesting threats; it is not possible to cover them all, and it appears in this case that we didn't.

You highlight that the original RIPlace technique is being used in the wild, I will speak to the team and update this thread on info we can share about Thanos ransomware

Regards,

Stephen
Cancel
Vote Up 0 Vote Down

Cancel
0 RonnyT over 3 years ago in reply to StephenMcKay

Yes this landed in Intercept X, HitmanPro.Alert are protected also, and so should Sophos Home Premium.

https://downloads.sophos.com/readmes/sesc_interceptx_rneng.html

WINEP-23475

With regards to Thanos, we've only seen the option in the Ransomware Builder, AFAIK there are no samples in the wild (yet) abusing this.

Kind Regards,

Ronny (Team HitmanPro).
Cancel
Vote Up 0 Vote Down

Cancel
0 Matthew Bradley over 3 years ago in reply to RonnyT

Awesome. Good job. There may not be much in the wild right now but you know there will be eventually. Always better to stay ahead of these types of exploits. Thanks for the update.
Cancel
Vote Up 0 Vote Down

Cancel
0 Breakingcustom over 3 years ago in reply to Matthew Bradley

I just passed all of this along to my rep to see if he has any insights. I even notified them of someone apart of a Facebook group I'm on that got hit with the Kupidon ransomware (Sophos didn't block it).
Cancel
Vote Up 0 Vote Down

Cancel