This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CryptoGuard Ransomware Detection

Hey folks,

Does anybody know how and what triggers ransomware attack detection?

We have a process via batch script and it calls for GPG.exe encryption on the files. This process are executed via remote workstation, and the target files are from our File Server. Including in the batch script is cleaning up of unencrypted files using sdelete command.

Am i right to assume that the ransomware attack was triggered after encrypting the file via GPG?

Thanks,

Kheir



This thread was automatically locked due to age.
Parents
  • Hi ,

    CryptoGuard is constantly monitoring file writes for encrypted files. If it detects that actions behave like ransomware, it will restore the impacted files and stop the detected process's execution.

    You have to differentiate in this case between CryptoGuard detecting local encryption activities and detecting remotely executed encryption activities. With a local detection you always have the full context (what application/process encrypted the files) and you can create exclusion that would prevent future detections for that application (see: https://support.sophos.com/support/s/article/KB-000039184). 

    If however a remote system is encrypting the files then you have limited visibility (you only see which system (IP address) encrypted which files leading up to the detection. So Cryptoguard reacts with preventing write access for the offending IP address. A new exclusion type, which is available for computers in the EAP, will allow you to specify folders that are not to be monitored for ransomware activities could help if it is a remote detection. More details about the EAP can be found here: New Endpoint/Server Protection Features Early Access Program - Announcements - Endpoint EAP - Sophos Community

    Another good read about Cryptoguard is the following KBA: https://support.sophos.com/support/s/article/KB-000036287

    Regards,
    Marcel

  • Thanks for the info Marcel,

    It is indeed a remote detection as the logs reports the IP address of the machine. So, this new exclusion type is still in EAP, do you know when this feature will become standard? And do you know if any other type of exclusion will be available - it would be nice if we have an option to exclude IP addresses as our remote workstation's IP addresses are reserved addresses.

    Regards,

    Kheir

Reply
  • Thanks for the info Marcel,

    It is indeed a remote detection as the logs reports the IP address of the machine. So, this new exclusion type is still in EAP, do you know when this feature will become standard? And do you know if any other type of exclusion will be available - it would be nice if we have an option to exclude IP addresses as our remote workstation's IP addresses are reserved addresses.

    Regards,

    Kheir

Children