Locky

Hello Joetobai,

now, Locky (or whatever prevalent "bleeding edge" threat) is not a static executable (i.e. one program with a few specific checksums), it takes some time (and samples) to reliably detect all the mutations. This is complicated by the fact that aggressive strategies are not feasible in a corporate environment as the could be too aggressive and might impair important applications. Thus "complete protection" would be, at least in the early days, boastful.
In addition there's the delivery mechanism - the initial stage seems pretty archaic, email and macros in office documents. Then evidently a (state-of-the-art) staggered download. So while the concept isn't new the campaign doesn't reuse well-known components which is another challenge.

what can we do
Please see Ransomware Protection on Terminal Servers for some advice by Sophos.

Christian

I wish Sophos would do it like Kaspersky does: blog.kaspersky.com/.../ To help with the zero day aspect it simply just looks for files that are being encrypted. while they are being encrypted it's caching the previous version of the file. At that point it asks if you want this actin to continue, select no, and it returns the files to their previous state: blog.kaspersky.com/.../

In the video below we show you what happens when Locky Ransomware attacks a computer. You will see what a typical user would see if they were the victim of such an attack. We will then show you several scenarios demonstrating how Sophos protects the computers and networks of our customers using multiple techniques.

All products featured in this video are using their default settings and no new protection was created to block the malware shown.

Products featured: Sophos Endpoint managed by Sophos Central Console, with Sophos Intercept X.

Sophos XG Firewall including Heartbeat and Sophos Sandstorm.