Is there any official word from Sophos regarding the RIPlace ransomware threat?

Hello JamesGolden 

Sophos uses various detection techniques, however without a sample we are not able to confirm if we detect this malware. Please send a sample of the files you have tested to Sophos Labs via our web submission link: https://secure2.sophos.com/en-us/support/submit-a-sample.aspx. From there choose "Submit a sample file" and provide the requested information.

Thank you very much!

Not a good look for Sophos when articles like this come out. Seems the "other" guys have taken this thing seriously but Sophos forum gurus still want us to submit samples. 

https://www.bleepingcomputer.com/news/security/thanos-ransomware-auto-spreads-to-windows-devices-evades-security/?fbclid=IwAR3AjXON5eOnIw-jDg0f02S_LnFGtxpcI98pB405BmLhkUBNsvjTJ0TilAs

Hi Matthew,

If someone is reporting a potential threat, then I think it is fair to request a sample submission; this allows SophosLabs to analyse the file and provide a suitable response as to the threat the file poses and the protection Sophos offers.

In some cases these claims or disclosures relate to a POC; as it does in this case. Sophos do take threats seriously, do not take a lack of an article to mean a lack of attention! We have various blogs, such as SophosLabs Uncut, that write about new and interesting threats; it is not possible to cover them all, and it appears in this case that we didn't. 

You highlight that the original RIPlace technique is being used in the wild, I will speak to the team and update this thread on info we can share about Thanos ransomware

Regards,

Stephen

Hi Matthew,

If someone is reporting a potential threat, then I think it is fair to request a sample submission; this allows SophosLabs to analyse the file and provide a suitable response as to the threat the file poses and the protection Sophos offers.

In some cases these claims or disclosures relate to a POC; as it does in this case. Sophos do take threats seriously, do not take a lack of an article to mean a lack of attention! We have various blogs, such as SophosLabs Uncut, that write about new and interesting threats; it is not possible to cover them all, and it appears in this case that we didn't. 

You highlight that the original RIPlace technique is being used in the wild, I will speak to the team and update this thread on info we can share about Thanos ransomware

Regards,

Stephen

Yes this landed in Intercept X, HitmanPro.Alert are protected also, and so should Sophos Home Premium.

https://downloads.sophos.com/readmes/sesc_interceptx_rneng.html

WINEP-23475

With regards to Thanos, we've only seen the option in the Ransomware Builder, AFAIK there are no samples in the wild (yet) abusing this.

Kind Regards,

Ronny (Team HitmanPro).

Awesome. Good job. There may not be much in the wild right now but you know there will be eventually. Always better to stay ahead of these types of exploits. Thanks for the update. 

I just passed all of this along to my rep to see if he has any insights.  I even notified them of someone apart of a Facebook group I'm on that got hit with the Kupidon ransomware (Sophos didn't block it).