Seeking Advice: Ransomware Attack and Solutions for Legacy Systems

Hello,

I know, you don't want to hear these answers:

to point 1: You cannot use a modern AV / Endpoint Security solution to "heal" the fact that your customer is using an outdated platform.

to point 2. This is a wide field. Better seek professional advice / help, if you cannot answer this alone. We cannot give "cheap" advice like that here, this is a community forum.

to point 3. Sorry to be so harsh: "No Backup, No Mercy!" You should undergo all possible (technical) measures to proect your backup from being accessed by an attacker and to be encrypted. If it would be possible to simply decrypt that data, nobody would have a problem with ransomware.

Concerning your goal: this is a good idea, you should definitely ask for a professional serviceprovider to help you here. It sound that you are not very familiar with that.

Hello Philipp,

Thank you for your response. While I appreciate your advice, I'm specifically seeking community help in navigating these challenges.

Regarding our client's situation, this is the first time they are working with us. The fact that they may have an older infrastructure is actually beneficial for us, as it opens up the possibility of offering them multiple products and solutions tailored to their needs.

On the second point, we have traditionally used Kaspersky for all our clients. However, this is our first venture with SOPHOS, following our recent partnership with them. We're eager to develop our expertise with SOPHOS products. Although our experience with them is limited at the moment, we see this as a significant opportunity for both us and SOPHOS.

Again, thank you for your insights, but I am hoping to engage more with the community for additional perspectives and advice.

Best regards,

Ok, feel free to do it like that.

I can only recommend to get in touch with Sophos Rapid Response team ASAP.

We are Sophos partner as you and would definitely do that in your case.

Hi,

1. Intercept X is, in general, highly effective at protecting against ransomware. This includes both known families and previously unknown strains of ransomware. I do not know specifically about Hhuy, but if it's known to the industry, Intercept X likely protects against it. However, ransomware is increasingly used as one of many tools by attackers. You and the customer may want to consider a managed detection and response service, such as Sophos MDR.
2. There is information here about both the licensing and the product capability limits for Intercept X on legacy Windows operating systems: https://support.sophos.com/support/s/article/KB-000039324?language=en_US. It is really important to work with your client to upgrade/replace these legacy systems. Where that's not immediately possible, you'll want to look at additional controls. Intercept X with extended support is a good option, but you'll also want to look at options like strong lockdown of the Windows OS, network segmentation, NDR (potentially Sophos NDR), and other controls.
3. Sophos does not provide decryption tools. I see that there is a DJVU ransom decryption tool available at https://www.nomoreransom.org/en/decryption-tools.html. You might take a look and see if that's helpful.

Beyond recovering the data, it will be important to do a comprehensive analysis of the customer's environment. You need to find out if the attacker still has a presence on any of the customer's systems or access to their network. If you need assistance with this, you and the customer could consider engaging Sophos Incident Response Services.

Unfortunately, in certain instances, transitioning from Windows 7 is not feasible due to compatibility issues. The OEMs providing equipment do not support Windows 10 on this specific hardware. How can we ensure the security of these systems using SOPHOS Intercept X without resorting to multiple security systems