This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GoldenEye - Ransomware

 We are bit concern with the new variant of the GoldenEye Ransomware making rounds, we were wondering if Sophos  is able to prevent or detect the particular RansomWare ? We searched in Sophos blogs and website, we did find an article related to how the ransomware works, but were not able to confirm whether the new variant is detected. If Sophos is able to detect this, what name it is detected.



This thread was automatically locked due to age.
Parents
  • Hi Amol,

     

    Do you have any samples of this new variant? I am speaking to our SophosLabs team to see what we have seen. At the moment I can see we are still blocking GoldenEye with our existing protection.

     

    This ransomware is spread via email so you can do a lot to protect yourself before it even gets to the user. If you are using a Sophos Email Gateway product or PureMessage the emails would most likely be triggering a CXmail detection and not getting to the inboxes, even if you don't have those products the endpoint can make that detection as well. Then if it gets past that our behavior monitoring and Malicious Traffic Detection would come into play and you might see a C2/Generic-B detection or a HPmal/GEye-A. If you had Sophos Intercept X it would then provide protection with it's CryptoGuard component to detect files being encrypted.

     

    You can also disable Macros in Microsoft Office for your users which would also protect them from this attack, if you can't do it for all of them then maybe just the ones that don't need macros to do their job. Also make sure you aren't hiding known file extensions.  

     

    I assume the article you found is the one below, so I have included it for other readers.

    https://nakedsecurity.sophos.com/2016/12/08/goldeneye-ransomware-the-resume-that-scrambles-your-computer-twice/ 

Reply
  • Hi Amol,

     

    Do you have any samples of this new variant? I am speaking to our SophosLabs team to see what we have seen. At the moment I can see we are still blocking GoldenEye with our existing protection.

     

    This ransomware is spread via email so you can do a lot to protect yourself before it even gets to the user. If you are using a Sophos Email Gateway product or PureMessage the emails would most likely be triggering a CXmail detection and not getting to the inboxes, even if you don't have those products the endpoint can make that detection as well. Then if it gets past that our behavior monitoring and Malicious Traffic Detection would come into play and you might see a C2/Generic-B detection or a HPmal/GEye-A. If you had Sophos Intercept X it would then provide protection with it's CryptoGuard component to detect files being encrypted.

     

    You can also disable Macros in Microsoft Office for your users which would also protect them from this attack, if you can't do it for all of them then maybe just the ones that don't need macros to do their job. Also make sure you aren't hiding known file extensions.  

     

    I assume the article you found is the one below, so I have included it for other readers.

    https://nakedsecurity.sophos.com/2016/12/08/goldeneye-ransomware-the-resume-that-scrambles-your-computer-twice/ 

Children
No Data