CryptoGuard Ransomware Detection

Question

Hey folks, 
 Does anybody know how and what triggers ransomware attack detection? 
 We have a process via batch script and it calls for GPG.exe encryption on the files. This process are executed via remote workstation, and the target files are from our File Server. Including in the batch script is cleaning up of unencrypted files using sdelete command. 
 Am i right to assume that the ransomware attack was triggered after encrypting the file via GPG? 
 Thanks, 
 Kheir

Marcel · Answer

Hi kheir fernandez , 
 CryptoGuard is constantly monitoring file writes for encrypted files. If it detects that actions behave like ransomware, it will restore the impacted files and stop the detected process's execution. 
 You have to differentiate in this case between CryptoGuard detecting local encryption activities and detecting remotely executed encryption activities. With a local detection you always have the full context (what application/process encrypted the files) and you can create exclusion that would prevent future detections for that application (see: https://support.sophos.com/support/s/article/KB-000039184 ). 
 If however a remote system is encrypting the files then you have limited visibility (you only see which system (IP address) encrypted which files leading up to the detection. So Cryptoguard reacts with preventing write access for the offending IP address. A new exclusion type, which is available for computers in the EAP, will allow you to specify folders that are not to be monitored for ransomware activities could help if it is a remote detection. More details about the EAP can be found here: New Endpoint/Server Protection Features Early Access Program - Announcements - Endpoint EAP - Sophos Community 
 Another good read about Cryptoguard is the following KBA: https://support.sophos.com/support/s/article/KB-000036287 
 Regards, Marcel

CryptoGuard Ransomware Detection

Top Replies