This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

.wallet ransomware

Last week one of our dev servers with no protection was hit by .wallet ransomware.

What got our attention was we have 3 fileservers that our fully protected with Sophos. But we noticed many files in one of the shared folders were crypted. How did sophos let this happen? we have about 10 shared folders. of which one of them had almost all the files crytpted.

How can we resolve this and ensure that all servers are fully protected in the future



This thread was automatically locked due to age.
Parents
  • Hello Sunith Philip,

    if I understand you correctly this one of the shared folders was hosted by one of the Sophos protected servers? Do you also use Intercept X/Cryptoguard?
    Encryption is performed on the compromised machine, "basic" Sophos on the host might or might not be able to determine that the file is encrypted, even if it is it has no way to tell whether the encryption is legitimate or not.

    Christian

  • Hello CHristian,

    Yes we do. How do we know if Intercept is installed on the server or computer.

    Also, how can I find the exe file that was quarantined. I need to send this sample to Sophos lab

  • Hello Sunith Philip,

    if Intercept is installed
    I don't use Central but you should be able to find a computer's details on the Computers page.

    how can I find the exe file that was quarantined
    I'm not sure that I understand what has happened. From your OP I thought that the server that has initially been hit (say, it's called DEV01) was unprotected - thus nothing would have been quarantined. And the ransomware on DEV01 encrypted files on one share it had write access to, the share resides on the file servers (say, FS01-FS03).  In other words, DEV01 encrypted files on e.g. \\FS02\Share07\, is this correct? 

    Christian

Reply
  • Hello Sunith Philip,

    if Intercept is installed
    I don't use Central but you should be able to find a computer's details on the Computers page.

    how can I find the exe file that was quarantined
    I'm not sure that I understand what has happened. From your OP I thought that the server that has initially been hit (say, it's called DEV01) was unprotected - thus nothing would have been quarantined. And the ransomware on DEV01 encrypted files on one share it had write access to, the share resides on the file servers (say, FS01-FS03).  In other words, DEV01 encrypted files on e.g. \\FS02\Share07\, is this correct? 

    Christian

Children
No Data