This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ransomware notification

Quick question... We've recently switched from using another AV vendor to Sophos and I had email rules in place if we received a ransomware alert. The alert email contained a trigger that would immediately send txt messages to certain people to get the machine off the network.

I've finished setting up Sophos and I'm looking to make sure these triggers still work. Can anyone tell me what the alert email looks like if Sophos detects a ransomware virus?

A recent alert example from Sophos looks like: 

File "C:\Program Files (x86)\Settings Manager\systemk\del_DM_LL_nsxC8E2.dll" belongs to adware or PUA 'SearchSuite' (of type Adware).

 

Does a cryptolock type virus state "belongs to ransomware" or (of type ransomware)?

 

Thanks

R



This thread was automatically locked due to age.
Parents
  • Hello R,

    just curious - how successful was this process ([an] alert email contain[ing] a trigger that would immediately send txt messages to certain people to get the machine off the network) or didn't you have the "chance" to assess this? I'm asking because from the cases I've encountered (assuming you are talking about the encrypting ransomware) it's either timely detection, in which case the malware is prevented from running, or not. In the latter cutting the cable doesn't make a difference.

    Anyway, the message looks like... belongs to Virus/spyware ' ......'. While related threats are (most of the time) named Ransom- prefixed with Mal/, CXMal/, HPMal/ or Troj/ there is no specific Ransomware type. IMO perhaps more important would be Generic, HIPS/, and Sus/ detections (after all, you won't get a named detection for a yet unknown threat).

    Christian     

Reply
  • Hello R,

    just curious - how successful was this process ([an] alert email contain[ing] a trigger that would immediately send txt messages to certain people to get the machine off the network) or didn't you have the "chance" to assess this? I'm asking because from the cases I've encountered (assuming you are talking about the encrypting ransomware) it's either timely detection, in which case the malware is prevented from running, or not. In the latter cutting the cable doesn't make a difference.

    Anyway, the message looks like... belongs to Virus/spyware ' ......'. While related threats are (most of the time) named Ransom- prefixed with Mal/, CXMal/, HPMal/ or Troj/ there is no specific Ransomware type. IMO perhaps more important would be Generic, HIPS/, and Sus/ detections (after all, you won't get a named detection for a yet unknown threat).

    Christian     

Children
No Data