GoldenEye - Ransomware

Hi Amol,

Do you have any samples of this new variant? I am speaking to our SophosLabs team to see what we have seen. At the moment I can see we are still blocking GoldenEye with our existing protection.

This ransomware is spread via email so you can do a lot to protect yourself before it even gets to the user. If you are using a Sophos Email Gateway product or PureMessage the emails would most likely be triggering a CXmail detection and not getting to the inboxes, even if you don't have those products the endpoint can make that detection as well. Then if it gets past that our behavior monitoring and Malicious Traffic Detection would come into play and you might see a C2/Generic-B detection or a HPmal/GEye-A. If you had Sophos Intercept X it would then provide protection with it's CryptoGuard component to detect files being encrypted.

You can also disable Macros in Microsoft Office for your users which would also protect them from this attack, if you can't do it for all of them then maybe just the ones that don't need macros to do their job. Also make sure you aren't hiding known file extensions.  

I assume the article you found is the one below, so I have included it for other readers.

https://nakedsecurity.sophos.com/2016/12/08/goldeneye-ransomware-the-resume-that-scrambles-your-computer-twice/ 

Hello Amol Patil,

the first question is which product you a referring to by Sophos. Assuming you are talking about endpoint protection - while the basic AV is the same on all flavours some have additional features which provide better protection.
Anyway, able to confirm whether the new variant is detected - for this you'd have to be able to identify (describe, ideally provide a sample of) this new variant. Usually it's called a new variant when it is able to get past the defenses. Once AV vendors have obtained a sufficient number of samples and amended their detections it's less and less likely that a particular strain ("variants of variant") is successful.

what name it is detected
as you've probably read ransomware (and a lot of malware as well) is not immediately delivered. If the actual ransomware is, say, sent as an attachment - well, AV-Labs' dream. Vendors try to prevent the delivery of whatever malware, identifying the actual threat is the last chance to avert disaster. Thus unless you want to tell your grandchildren I had some ransomware and it has been stopped just in time you'd rather not want to ever need to know its name [;)].

Many AV vendors have complementary products which try to detect ransomware by its activity and to remediate its actions (by preserving a copy of a file until it's proven that it is not maliciously modified). Even if you have one of these you should have a reasonable backup strategy and periodically review your backup and restore procedures.

It's usually just some days during which the answer to this question is actually important. Before it's whether an unknown variant is blocked without a specific detection afterwards whether your AV is up to date.

Christian

Hi Amol,

I have just heard back from our SophosLabs threat researchers and they confirmed there are some new variants of GoldenEye but our existing protection picks them up automatically.

If you have sample files you want us to look at that, please use the Support contact page and we can analyze them for you.