Intercept X vs Sucylocker Ransomware

Hi,

I would like to know if only Intercept X is enough to protect a computer from ransomware like Cryptolocker v3, Sucylocker, Bluekeep, Wannacry, etc.

If isnt enough, will Central Intercept X Advanced be the solution to fully protect the computer from ransomware?

The result of a test for Intercept X with this ransomware is showed in the following photos.

Thanks.

Hello Carlos Raul Leon Quiroga,

I must admit that I was distracted by the seemingly duplicated post that just contained an additional picture and at first I missed The result of a test ....
Do I understand correctly that

1. you have a computer with some kind of test suite for ransomware
2. you installed Intercept X on this computer
3. you ran some tests and at least the one for CryptoLocker-v3 wasn't stopped
4. consequently you doubt that Intercept X protects the computer?

Guess you're not using live ransomware but partially defanged samples?

Christian

Hi QC

Yes, the three items are true.

It is ok, that is my doubt. 

Thanks.

Hello Carlos Raul Leon Quiroga,

I see.
As said, Intercept X assesses a processes behaviour. It is also "licensed to kill (processes)" and revert changes. Therefore it aims to be sure it disn't disrupt operations. Kemp in mind that encryption, extension change, or other operations ransomware performs might also be done by legitimate applications - even bulk operations. Therefore it makes sure it's not trigger-happy. The test might not contain some characteristic (e.g. communication with a C&C server) that positively identifies it as malicious.
If a guard in a public place is instructed to kill an attacker but naturally spare innocent persaons - how would or could you test this?

Christian

I am curious because I have ran my own tests with Ransomware against Sophos.  In many cases the Ransomware appears to have executed, showing the same file lists as your pics.  But are the files actually encrypted?  Or did Sophos intervene and restore/prevent the actual encryption of the files.

Hello Badrobot,

are the files actually encrypted?
it should be fairly easy to confirm or refute this, shouldn't it?
did Sophos intervene?
If a a process attracts attention and is subsequently deemed malicious it is stopped in its tracks. Unlikely (but not impossible) that the ransom note is displayed in this case but then the log (if it is genuine) should contain only a few entries.

As said, it's not easy to design a "test" that passes as the real thing ...

Christian

Hello Badrobot,

are the files actually encrypted?
it should be fairly easy to confirm or refute this, shouldn't it?
did Sophos intervene?
If a a process attracts attention and is subsequently deemed malicious it is stopped in its tracks. Unlikely (but not impossible) that the ransom note is displayed in this case but then the log (if it is genuine) should contain only a few entries.

As said, it's not easy to design a "test" that passes as the real thing ...

Christian