Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 2430 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cryptoguard detected Ransomware attack

Per Synnergård

Hi,

Sophos Cryptoguard detected a ransomware attack from a remote computer in our network. Crypto Guard restored original files and blocked access from the remote computer, which feels safe. But we have not been able to find out what really caused the attack. Could this be a false positvie?



This thread was automatically locked due to age.
Parents
  • 0

    The ransomware-like action happened. You can see that in the documents being actioned. The question is if the action was being done by a legitimate program in your environment. To know that you would need to go onto that host and see what was being done. Then you would need to investigate why these actions are being done, and make a decision at that point. 

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to RichardP

    Thanks for the quick reply! We know which program (a program often used in our business) caused the ransomware action and what was done, but we could not find info about that particular program in any log file. What we are still wondering is if ransomware can be activated via a known program? And if there is any log file that can show us which process caused the ransomware attack?

Reply
  • 0 in reply to RichardP

    Thanks for the quick reply! We know which program (a program often used in our business) caused the ransomware action and what was done, but we could not find info about that particular program in any log file. What we are still wondering is if ransomware can be activated via a known program? And if there is any log file that can show us which process caused the ransomware attack?

Children
  • 0 in reply to Per Synnergård

    The problem you are having is that the PE is on a remote machine. The endpoint that detected the action can't know what program is trying to the do the action - all it has is an incoming connection that is executing suspicious commands. There isn't much that you can do about this. The next question I have is why are you do this type of file alterations across the network? Is this an archiving software? 

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML