"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
The following examples illustrate the sort of false warnings you might see on your computers:
The web pages users are taken to may look like one of these:
Because this scam provides revenue directly to the hackers it is particularly popular. Creators of fake anti-virus software also use networks of affiliates to help distribute their software, usually by less than honest means.
Email and messaging Criminals send spam email and social network messages with the software installer attached, using a social engineering lure to persuade the recipient to open the attachment. Common lures include tax refund information, package delivery notifications or pictures of topical news stories.
Search Engine Optimization Hackers create pages related to common or topical search terms and design them to appear high in search engine results. This makes it likely that people will encounter the page during their usual search activity. The web pages may either display warnings about infection that encourage the user to purchase the fake anti-virus, or they download a video player which is actually the fake anti-virus installer.
Compromised websites Cybercriminals often break into other websites in order to spread their software, relying on the site's own popularity to draw innocent users. The hackers will then install extra code into the compromised pages, again with the goal of either displaying fake security warnings or exploiting a browser vulnerability to install their software directly. Cybercriminals will often combine these techniques to increase the effectiveness of their fraud:
Once installed the fake anti-virus may also install other malware such as spam bots or keyloggers.
The default configuration of the HIPS technologies is 'Alert only' meaning that it will notify the user or administrator but will not block any malicious actions. After tuning the HIPS technology to your environment, you can disable the ‘Alert only’ setting. This will allow HIPS to provide additional protection against fake anti-virus and many other threats. Further information regarding deploying and using the HIPS technologies in Sophos ESDP can be found in the following knowledgebase articles:
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.