Intercept X vs Sucylocker Ransomware

Hi,

I would like to know if only Intercept X is enough to protect a computer from ransomware like Cryptolocker v3, Sucylocker, Bluekeep, Wannacry, etc.

If isnt enough, will Central Intercept X Advanced be the solution to fully protect the computer from ransomware?

The result of a test for Intercept X with this ransomware is showed in the following photos.

Thanks.

Hi Carlos Raul Leon Quiroga 

Intercept X utilizes behavioral analysis to stop never-before-seen ransomware and boot-record attacks. However, without a sample we are not able to confirm if we detect this malware. Please send a sample of the files you have tested to Sophos Labs and provide the requested information.

But this ransomwares, Sucylocker and Cryptolocker v3, are so well known attacks at this point, so I want to confirm if Intercept X will fully protect the device from this ransomware?

Hello Carlos Raul Leon Quiroga 

Yes, as mentioned by Shweta , Intercept X should be able to protect your devices because of its behavioral analysis. If it shows certain behavioral patterns similar to what ransomware will do, for example, creating copies of files and then contacting known Command and Control servers, etc., then it should detect this behavior and stop it from occurring. Sending a sample to Sophos Labs will also help us confirm if we protect against specific threats.

Also, it is important to ensure that you have set up Intercept X as recommended to prevent Ransomware, see KB below:

Ransomware: Prevention advice for Sophos products

Hi Carlos Raul Leon Quiroga 

I completely agree with Shweta and DianneY To further add to it, Sophos Central Intercept X Advanced includes Sophos traditional AV along with Intercept X which means that it will provide layered protection against malware. To answer your questions,

1. For "Sucylocker Ransomware", I came across this result - https://maltiverse.com/sample/86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f. However, I cannot vouch for such results and request you to submit a sample so that experts from Sophos Labs can verify it for you.

2. We have an excellent article regarding "CryptoWall Ransomware" showcasing how it infects the machine and how Sophos detects it - https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/. The article is quite old and Sophos has been protecting machines against this ransomware for a long time. Once again, I would recommend you submit a sample to Sophos Labs so that you can get the latest information on this if it is a new variant that nobody has ever seen.

Hello Carlos Raul Leon Quiroga,

I must admit that I was distracted by the seemingly duplicated post that just contained an additional picture and at first I missed The result of a test ....
Do I understand correctly that

1. you have a computer with some kind of test suite for ransomware
2. you installed Intercept X on this computer
3. you ran some tests and at least the one for CryptoLocker-v3 wasn't stopped
4. consequently you doubt that Intercept X protects the computer?

Guess you're not using live ransomware but partially defanged samples?

Christian

Hi QC

Yes, the three items are true.

It is ok, that is my doubt. 

Thanks.

Hello Carlos Raul Leon Quiroga,

I see.
As said, Intercept X assesses a processes behaviour. It is also "licensed to kill (processes)" and revert changes. Therefore it aims to be sure it disn't disrupt operations. Kemp in mind that encryption, extension change, or other operations ransomware performs might also be done by legitimate applications - even bulk operations. Therefore it makes sure it's not trigger-happy. The test might not contain some characteristic (e.g. communication with a C&C server) that positively identifies it as malicious.
If a guard in a public place is instructed to kill an attacker but naturally spare innocent persaons - how would or could you test this?

Christian

I am curious because I have ran my own tests with Ransomware against Sophos.  In many cases the Ransomware appears to have executed, showing the same file lists as your pics.  But are the files actually encrypted?  Or did Sophos intervene and restore/prevent the actual encryption of the files.

Hello Badrobot,

are the files actually encrypted?
it should be fairly easy to confirm or refute this, shouldn't it?
did Sophos intervene?
If a a process attracts attention and is subsequently deemed malicious it is stopped in its tracks. Unlikely (but not impossible) that the ransom note is displayed in this case but then the log (if it is genuine) should contain only a few entries.

As said, it's not easy to design a "test" that passes as the real thing ...

Christian