Unplanned Outage: Due to a technical glitch, customers might see higher wait times on Sophos Call Lines. We request for your kind cooperation. Please prefer logging a case via Sophos Support Portal, unless the situation is critical for you.
I would like to know if only Intercept X is enough to protect a computer from Cryptolocker v3 and Sucylocker ransomware.
If isnt enough, will Central InterceptX Advanced be the solution to fully protect the computer from ransomware?
I would like to know if only Intercept X is enough to protect a computer from ransomware like Cryptolocker v3, Sucylocker, Bluekeep, Wannacry, etc.
If isnt enough, will Central Intercept X Advanced be the solution to fully protect the computer from ransomware?
The result of a test for Intercept X with this ransomware is showed in the following photos.
Carlos Raul Leon Quiroga
Estudiante de pregrado-Ingeniería de Telecomunicaciones
Universidad Nacional de Ingeniería
Hi Carlos Raul Leon Quiroga
Intercept X utilizes behavioral analysis to stop never-before-seen ransomware and boot-record attacks. However, without a sample we are not able to confirm if we detect this malware. Please send a sample of the files you have tested to Sophos Labs and provide the requested information.
But this ransomwares, Sucylocker and Cryptolocker v3, are so well known attacks at this point, so I want to confirm if Intercept X will fully protect the device from this ransomware?
Hello Carlos Raul Leon Quiroga
Yes, as mentioned by Shweta , Intercept X should be able to protect your devices because of its behavioral analysis. If it shows certain behavioral patterns similar to what ransomware will do, for example, creating copies of files and then contacting known Command and Control servers, etc., then it should detect this behavior and stop it from occurring. Sending a sample to Sophos Labs will also help us confirm if we protect against specific threats.
Also, it is important to ensure that you have set up Intercept X as recommended to prevent Ransomware, see KB below:
Ransomware: Prevention advice for Sophos products
Hi Carlos Raul Leon Quiroga
I completely agree with Shweta and DianneY To further add to it, Sophos Central Intercept X Advanced includes Sophos traditional AV along with Intercept X which means that it will provide layered protection against malware. To answer your questions,
1. For "Sucylocker Ransomware", I came across this result - https://maltiverse.com/sample/86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f. However, I cannot vouch for such results and request you to submit a sample so that experts from Sophos Labs can verify it for you.
2. We have an excellent article regarding "CryptoWall Ransomware" showcasing how it infects the machine and how Sophos detects it - https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/. The article is quite old and Sophos has been protecting machines against this ransomware for a long time. Once again, I would recommend you submit a sample to Sophos Labs so that you can get the latest information on this if it is a new variant that nobody has ever seen.
Community Team Lead, Support & Services| Sophos Technical Support Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Hello Carlos Raul Leon Quiroga,
I must admit that I was distracted by the seemingly duplicated post that just contained an additional picture and at first I missed The result of a test ....Do I understand correctly that
Guess you're not using live ransomware but partially defanged samples?
Yes, the three items are true.
It is ok, that is my doubt.
I see.As said, Intercept X assesses a processes behaviour. It is also "licensed to kill (processes)" and revert changes. Therefore it aims to be sure it disn't disrupt operations. Kemp in mind that encryption, extension change, or other operations ransomware performs might also be done by legitimate applications - even bulk operations. Therefore it makes sure it's not trigger-happy. The test might not contain some characteristic (e.g. communication with a C&C server) that positively identifies it as malicious.If a guard in a public place is instructed to kill an attacker but naturally spare innocent persaons - how would or could you test this?
I am curious because I have ran my own tests with Ransomware against Sophos. In many cases the Ransomware appears to have executed, showing the same file lists as your pics. But are the files actually encrypted? Or did Sophos intervene and restore/prevent the actual encryption of the files.
are the files actually encrypted? it should be fairly easy to confirm or refute this, shouldn't it?did Sophos intervene? If a a process attracts attention and is subsequently deemed malicious it is stopped in its tracks. Unlikely (but not impossible) that the ransom note is displayed in this case but then the log (if it is genuine) should contain only a few entries.
As said, it's not easy to design a "test" that passes as the real thing ...