Nyotron is reporting a new strain of ransomware that can bypass most malware protection.
I ran their test tool. Intercept-x flagged it as a generic PUA. I made an exception for the PUA and let the test run. The tool was able to successfully encrypt my test files, which to me, indicates that Intercept-X isn't able to block it. I hope that's not the case.
Sophos uses various detection techniques, however without a sample we are not able to confirm if we detect this malware. Please send a sample of the files you have tested to Sophos Labs via our web submission link: https://secure2.sophos.com/en-us/support/submit-a-sample.aspx. From there choose "Submit a sample file" and provide the requested information.
Thank you very much!
Not a good look for Sophos when articles like this come out. Seems the "other" guys have taken this thing seriously but Sophos forum gurus still want us to submit samples.
If someone is reporting a potential threat, then I think it is fair to request a sample submission; this allows SophosLabs to analyse the file and provide a suitable response as to the threat the file poses and the protection Sophos offers.
In some cases these claims or disclosures relate to a POC; as it does in this case. Sophos do take threats seriously, do not take a lack of an article to mean a lack of attention! We have various blogs, such as SophosLabs Uncut, that write about new and interesting threats; it is not possible to cover them all, and it appears in this case that we didn't.
You highlight that the original RIPlace technique is being used in the wild, I will speak to the team and update this thread on info we can share about Thanos ransomware
Yes this landed in Intercept X, HitmanPro.Alert are protected also, and so should Sophos Home Premium.
With regards to Thanos, we've only seen the option in the Ransomware Builder, AFAIK there are no samples in the wild (yet) abusing this.
Ronny (Team HitmanPro).
Awesome. Good job. There may not be much in the wild right now but you know there will be eventually. Always better to stay ahead of these types of exploits. Thanks for the update.
I just passed all of this along to my rep to see if he has any insights. I even notified them of someone apart of a Facebook group I'm on that got hit with the Kupidon ransomware (Sophos didn't block it).