This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Seeking Advice: Ransomware Attack and Solutions for Legacy Systems

I am reaching out for guidance on a critical issue one of our clients is currently facing. They have fallen victim to a ransomware attack, specifically impacted by the 'Hhuy virus' from the STOP/DJVU ransomware family, identifiable by the '.HHUY' extension on encrypted files.

The client's infrastructure includes computers running on Windows 7 and servers on Windows Server 2008 & 2012. Unfortunately, Intersept X, which we are considering as a potential security solution, seems to have compatibility issues with Windows 7.

We've managed to install a trial version of Intersept X on some of the compatible machines, as part of our proposal to integrate Sophos solutions (including Firewall and Intersept X) into their security framework.

Here are my key inquiries:

  1. Efficacy of Intersept X: Is Intersept X an effective tool to neutralize such viruses, particularly for systems compromised by the Hhuy ransomware?
  2. Legacy System Solutions: What are the recommended security measures or solutions for the servers running on outdated Windows versions (2008 & 2012) which are crucial for our client's operations?
  3. Data Recovery: The client has lost nearly 20 years' worth of data due to encryption by the ransomware. Are there any viable decryption methods or data recovery solutions available for this specific ransomware family?

Our goal is to reassure the client of their security and data integrity by adopting Sophos solutions. Any insights, experiences, or recommendations in dealing with similar scenarios would be immensely valuable.

Thank you in advance for your help and advice.



This thread was automatically locked due to age.
Parents
  • Hi,

    1. Intercept X is, in general, highly effective at protecting against ransomware. This includes both known families and previously unknown strains of ransomware. I do not know specifically about Hhuy, but if it's known to the industry, Intercept X likely protects against it. However, ransomware is increasingly used as one of many tools by attackers. You and the customer may want to consider a managed detection and response service, such as Sophos MDR.
    2. There is information here about both the licensing and the product capability limits for Intercept X on legacy Windows operating systems: https://support.sophos.com/support/s/article/KB-000039324?language=en_US. It is really important to work with your client to upgrade/replace these legacy systems. Where that's not immediately possible, you'll want to look at additional controls. Intercept X with extended support is a good option, but you'll also want to look at options like strong lockdown of the Windows OS, network segmentation, NDR (potentially Sophos NDR), and other controls.
    3. Sophos does not provide decryption tools. I see that there is a DJVU ransom decryption tool available at https://www.nomoreransom.org/en/decryption-tools.html. You might take a look and see if that's helpful.

    Beyond recovering the data, it will be important to do a comprehensive analysis of the customer's environment. You need to find out if the attacker still has a presence on any of the customer's systems or access to their network. If you need assistance with this, you and the customer could consider engaging Sophos Incident Response Services.

Reply
  • Hi,

    1. Intercept X is, in general, highly effective at protecting against ransomware. This includes both known families and previously unknown strains of ransomware. I do not know specifically about Hhuy, but if it's known to the industry, Intercept X likely protects against it. However, ransomware is increasingly used as one of many tools by attackers. You and the customer may want to consider a managed detection and response service, such as Sophos MDR.
    2. There is information here about both the licensing and the product capability limits for Intercept X on legacy Windows operating systems: https://support.sophos.com/support/s/article/KB-000039324?language=en_US. It is really important to work with your client to upgrade/replace these legacy systems. Where that's not immediately possible, you'll want to look at additional controls. Intercept X with extended support is a good option, but you'll also want to look at options like strong lockdown of the Windows OS, network segmentation, NDR (potentially Sophos NDR), and other controls.
    3. Sophos does not provide decryption tools. I see that there is a DJVU ransom decryption tool available at https://www.nomoreransom.org/en/decryption-tools.html. You might take a look and see if that's helpful.

    Beyond recovering the data, it will be important to do a comprehensive analysis of the customer's environment. You need to find out if the attacker still has a presence on any of the customer's systems or access to their network. If you need assistance with this, you and the customer could consider engaging Sophos Incident Response Services.

Children
  • Unfortunately, in certain instances, transitioning from Windows 7 is not feasible due to compatibility issues. The OEMs providing equipment do not support Windows 10 on this specific hardware. How can we ensure the security of these systems using SOPHOS Intercept X without resorting to multiple security systems