Ransomware attack nozelesn


We recently suffered a ransomware attack from nozelesn.  It's encrypted an entire network shared drive and several machines in the building network.  Question is, how was this not picked up by our sophos enterprise setup with endpoint and control?

  • Hi Richard,

    We would be definitely interested in investigating this further. 

    Please raise a case with us and quote my name on the support ticket.



  • Hello Richard Reichenbacher,

    [disclaimer: I'm not Sophos]
    how was this not picked up
    I assume you are referring to the on-premise SESC without EXP (or Central Endpoint/Server without Intercept X?
    Only known threats can be picked up by classic AV (known including generic detections). Similar to biological infections a countermeasure can only be developed after the first incidents. While there are several lines of defence that should interrupt the "supply chain" (redirection to dubious site, malicious scripts, exploits) with the final line HIPS (that's supposed to catch malicious behaviour) these defences are "static" - meaning you can comparatively easily test your malware on classic AV.
    Ransomware is an industry with suppliers, subcontractors, financial services, franchising. It's the "services" that are highly profitable, with the extortionist bearing the business risk (who has to pay a fee for each victim but can't be sure they pay up). There's enough money to fund constant development, thus it's no wonder that we have to deal with "high-quality" malware.

    Consequently the (AV-)industry has come up with things like Intercept X - monitoring (by different means) execution and mitigating unwanted effects (e.g. restoring encrypted files to their original content). As software using this approach is not yet widely used there's no need for a Next-Gen ransomware and thus these solutions work quite well at present.
    This is not a sales pitch. We have deployed EXP on parts of our network, tests were satisfactorily, though no actual incident. Incidentally the other day we had a GandCrab case (no EXP on this PC). No big deal, we had a backup. Searching for items to submit to Labs SESC detected (as GandKrb) and removed the file that was my prime suspect - just half a day later the user would already have been protected.

    I think there was no active component involved, might have had its origin in an email. Depending on the email-client and its settings a simple direct link could be effective.