Sophos Ransomware Protection

Posted on  by admin

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

If you’re not currently a Sophos endpoint customer, you can leverage the advanced protection found in Intercept X free for 30 days, including Sophos’ leading anti-ransomware technologies. The free trial also features our endpoint detection and response (EDR) capabilities, designed to help maintain IT security operations hygiene and hunt down stealthy threats. 1 day ago  Offensive security tools have long been used by malicious actors as well as security professionals. These commercial and open-source tools, including the modular Cobalt Strike and Metasploit toolkits, were built for penetration testing and “red team” security evaluations—but they’ve been embraced by ransomware groups for their flexibility.

Restriction This help page describes policy settings for workstation users. Different policy settings apply for servers.

Go to Endpoint Protection > Policies to set up threat protection.

To set up a policy, do as follows:

  • Create a Threat Protection policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.

You can either use the recommended settings or change them.

If you change any of the settings in this policy and you want to find out what the default is, create a new policy. You don't have to save it, but it shows you the defaults.

NoteSophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types to provide the best protection.
Note If an option is locked, your partner has applied global settings. You can still stop detecting applications, exploits, and ransomware by going to the events list.

Use recommended settings

Click Use recommended settings if you want to use the settings we recommend. These provide the best protection you can have without complex configuration.

If we change our recommendations in the future, we’ll automatically update your policy with new settings.

The recommended settings offer:

  • Detection of known malware.
  • In-the-cloud checks to allow detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.
Warning Think carefully before you change the recommended settings because doing so may reduce your protection.

Live Protection

Live Protection checks suspicious files against the latest malware in the SophosLabs database.

You can select these options:

  • Use Live Protection to check the latest threat information from SophosLabs online. This checks files during real-time scanning.
  • Use Live Protection during scheduled scans

Deep Learning

Deep learning uses advanced machine learning to detect threats. It can identify known and previously unknown malware and potentially unwanted applications without using signatures.

Deep learning is only available with Sophos Intercept X.

Real-time Scanning - Local Files and Network Shares

Real-time scanning scans files as users attempt to access them. It allows access if the file is clean.

Local files are scanned by default. You can also select this option:

  • Remote files: This scans files on network shares.

Real-time Scanning - Internet

Real-time scanning scans internet resources as users attempt to access them. You can select these options:

  • Scan downloads in progress
  • Block access to malicious websites: This denies access to websites that are known to host malware.
  • Detect low-reputation files: This warns if a download has a low reputation. The reputation is based on a file's source, how often it is downloaded, and other factors. You can specify:
    • The Action to take on low-reputation downloads: If you select Prompt user, users will see a warning when they download a low-reputation file. They can then trust or delete the file. This is the default setting.
    • The Reputation level: If you select Strict, medium-reputation, as well as low-reputation files, are detected. The default setting is Recommended.


Remediation options are:

  • Automatically clean up malware: Sophos Central will try to clean up detected malware automatically.

    If the cleanup succeeds, the malware detected alert is deleted from the alerts list. The detection and cleanup are shown in the events list.

    Note We always clean up PE (Portable Executable) files like applications, libraries, and system files, even if you turn off automatic cleanup. PE files are quarantined and can be restored.
  • Enable Threat Case creation: Threat cases let you investigate the chain of events in a malware attack and identify areas where you can improve your security.
  • Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central: This sends details of potential threats to Sophos. Ensure it's turned on in any policy for computers where you want to do threat searches.
    Note This option is available if you have Intercept X Advanced with EDR.

Runtime Protection

Restriction You must join the Early Access Program to use some options.

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic. You can select:

  • Protect document files from ransomware (CryptoGuard): This protects document files against malware that restricts access to files and then demands a fee to release them. You can also choose to protect 64-bit computers against ransomware run from a remote location.
  • Protect from Encrypting File System attacks: This protects the computer from ransomware that encrypts the file system. Choose which action you want to take if the ransomware is detected. You can terminate ransomware processes or isolate them to stop them writing to the filesystem.
  • Protect from master boot record ransomware: This protects the computer from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.
  • Protect critical functions in web browsers (Safe Browsing): This protects your web browsers against exploitation by malware.
  • Mitigate exploits in vulnerable applications: This protects the applications most prone to exploitation by malware. You can select which application types to protect.
  • Protect processes: This helps prevent the hijacking of legitimate applications by malware. You can choose these options:
    • Prevent process hollowing attacks. This protects against process replacement attacks.
    • Prevent DLLs loading from untrusted folders. This protects against loading .DLL files from untrusted folders.
    • Prevent credential theft. This prevents the theft of passwords and hash information from memory, registry, or hard disk.
    • Prevent code cave utilisation. This detects malicious code that's been inserted into another, legitimate application.
    • Prevent APC violation. This prevents attacks from using Application Procedure Calls (APC) to run their code.
    • Prevent privilege escalation. This prevents attacks from escalating a low-privilege process to higher privileges to access your systems.
  • Protect network traffic. You can choose these options:
    • Detect malicious connections to command and control servers. This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
    • Prevent malicious network traffic with packet inspection (IPS). This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications.
  • Detect malicious behavior (HIPS): This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.
  • Detect malicious behavior: This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.
    Restriction You must join the Early Access Program to use this option.
  • AMSI Protection (with enhanced scan for script-based threats): This protects against malicious code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI). Code forwarded using AMSI is scanned before it runs, and Sophos notifies the applications used to run the code of threats. If a threat is detected, an event is logged. You can prevent the removal of AMSI registration on your computers.

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.

Device Isolation

If you select this option, devices isolate themselves from your network if their health is red. A device's health is red if it has threats detected, has out-of-date software, isn't compliant with policy, or isn't properly protected.

You can still manage isolated devices from Sophos Central. You can also use scanning exclusions or global exclusions to give limited access to them for troubleshooting.

You can't remove these devices from isolation. They communicate with the network again once their health is green.

Scheduled Scanning

Scheduled scanning performs a scan at a time or times that you specify.

You can select these options:

  • Enable scheduled scan: This lets you define a time and one or more days when scanning should be performed.
    Note The scheduled scan time is the time on the endpoint computers (not a UTC time).
  • Enable deep scanning: If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.
    Note Scanning archives may increase the system load and make scanning significantly slower.

Scanning exclusions

You can exclude files, folders, websites, or applications from scanning for threats, as described below.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Sophos Ransomware Protection

Exclusions set in a policy are only used for the users the policy applies to.

Note If you want to apply exclusions to all your users and servers set up global exclusions on the Global Settings > Global Exclusions page.

To create a policy scanning exclusion:

Sophos 2021 threat report
  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, website, potentially unwanted application, or device isolation).
  3. Specify the item or items you want to exclude.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion must be valid for real-time scanning, for scheduled scanning, or both.
  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Exploit Mitigation exclusions

You can exclude applications from protection against security exploits. For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.

Adding exclusions reduces your protection.

Adding exclusions using the global option, Overview > Global Settings > Global Exclusions, creates exclusions that apply to all users and devices.

We recommend that you use this option and assign the policy containing the exclusion only to those users and devices where the exclusion is necessary.

Restriction You can only create exclusions for Windows applications.

Sophos Cryptoguard

To create a policy exploit mitigation exclusion, do as follows:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In Exclusion Type, select Exploit Mitigation (Windows).

    A list of the protected applications on your network shows.

  3. Select the application you want to exclude.
  4. If you don't see the application you want, click Application not listed?. You can now exclude your application from protection by entering its file path. Optionally, use any of the variables.
  5. Under Mitigations, choose from the following:
    • Turn off Protect Application. Your selected application isn't checked for any exploits.
    • Keep Protect Application turned on and select the exploit types that you do or don’t want to check for.
  6. Click Add or Add Another. The exclusion is added to the list on the Global Exclusions page.

    The exclusion only applies to users or devices that you assign this policy to.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Desktop Messaging

Note You must switch off Use recommended settings to set up Desktop Messaging.

You can add a message to the end of the standard notification. If you leave the message box empty, only the standard message is shown.

Desktop Messaging is on by default.

Click in the message box and enter the text you want to add.

The operators of Ryuk ransomware are at it again. After a long period of quiet, we identified a new spam campaign linked to the Ryuk actors—part of a new wave of attacks. And in late September, Sophos’ Managed Threat Response team assisted an organization in mitigating a Ryuk attack—providing insight into how the Ryuk actors’ tools, techniques and practices have evolved. The attack is part of a recent wave of Ryuk incidents tied to recent phishing campaigns.

First spotted in August of 2018, the Ryuk gang gained notoriety in 2019, demanding multi-million-dollar ransoms from companies, hospitals, and local governments. In the process, the operators of the ransomware pulled in over $61 million just in the US, according to figures from the Federal Bureau of Investigation. And that’s just what was reported—other estimates place Ryuk’s take in 2019 in the hundreds of millions of dollars.

Starting around the beginning of the worldwide COVID-19 pandemic, we saw a lull in Ryuk activity. There was speculation that the Ryuk actors had moved on to a rebranded version of the ransomware, called Conti. The campaign and attack we investigated was interesting both because it marked the return of Ryuk with some minor modifications, but also showed an evolution of the tools used to compromise targeted networks and deploy the ransomware.

The attack was also notable because of how quickly the attacks can move from initial compromise to ransomware deployment. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller, and were in the early stages of an attempt to deploy ransomware.

The attackers were persistent as well. As attempts to launch the attack failed, the Ryuk actors attempted multiple times over the next week to install new malware and ransomware, including renewed phishing attempts to re-establish a foothold. Before the attack had concluded, over 90 servers and other systems were involved in the attack, though ransomware was blocked from full execution.


Let the wrong one in

The attack began on the afternoon of Tuesday. September 22. Multiple employees of the targeted company had received highly-targeted phishing emails:

From: Alex Collins [spoofed external email address]

To: [targeted individual]

Subject: Re: [target surname] about debit


Please call me back till 2 PM, i will be in [company name] office till 2 PM.

[Target surname], because of [company name]head office request #96-9/23 [linked to remote file], i will process additional 3,582 from your payroll account.

[Target first name], call me back when you will be available to confirm that all is correct.

Here is a copy of your statement in PDF[linked to remote file].

Alex Collins

[Company name] outsource specialist

The link, served up through the mail delivery service Sendgrid, redirected to a malicious document hosted on The email was tagged with external sender warnings by the company’s mail software. And multiple instances of the malicious attachment were detected and blocked.

But one employee clicked on the link in the email that afternoon. The user opened the document and enabled its content, allowing the document to execute print_document.exe—a malicious executable identified as Buer Loader. Buer Loader is a modular malware-as-a-service downloader, introduced on underground forums for sale in August of 2019. It provides a web panel-managed malware distribution service; each downloader build sold for $350, with add-on modules and download address target changes billed separately.

In this case, upon execution, the Buer Loader malware dropped qoipozincyusury.exe, a Cobalt Strike “beacon,” along with other malware files. Cobalt Strike’s beacon, originally designed for attacker emulation and penetration testing, is a modular attack tool that can perform a wide range of tasks, providing access to operating system features and establishing a covert command and control channel within the compromised network.

Over the next hour and a half, additional Cobalt Strike beacons were detected on the initially compromised system. The attackers were then able to successfully establish a foothold on the targeted workstation for reconnaissance and to hunt for credentials.

A few hours later, the Ryuk actors’ reconnaissance of the network began. The following commands were run on the initially infected system:

  • C:WINDOWSsystem32cmd.exe /C whoami /groups (accessing list of AD groups the local user is in)
  • C:WINDOWSsystem32cmd.exe /C nltest /domain_trusts /all_trusts (returns a list of all trusted domains)
  • C:WINDOWSsystem32cmd.exe /C net group “enterprise admins” /domain (returns a list of members of the “enterprise admins” group for the domain)
  • C:WINDOWSsystem32net1 group “domain admins” /domain (the same, but a list of the group “domain admins”)
  • C:WINDOWSsystem32cmd.exe /C net localgroup administrators (returns a list of administrators for the local machine)
  • C:WINDOWSsystem32cmd.exe /C ipconfig (returns the network configuration)
  • C:WINDOWSsystem32cmd.exe /C nltest /dclist:[target company domain name] (returns names of the domain controllers for the company domain name)
  • C:WINDOWSsystem32cmd.exe /C nltest /dclist:[target company name] (the same, but checking for domain controllers using the company name as the domain name)

Forward lateral

Using this data, by Wednesday morning the actors had obtained administrative credentials and had connected to a domain controller, where they performed a data dump of Active Directory details. This was most likely accomplished through the use of SharpHound, a Microsoft C#-based data “injestor” tool for BloodHound (an open-source Active Directory analysis tool used to identify attack paths in AD environments). A data dump from the tool was written to a user directory for the compromised domain administrator account on the domain server itself.

Another Cobalt Strike executable was loaded and launched a few hours later. That was followed immediately by the installation of a Cobalt Strike service on the domain controller using the domain administrator credentials obtained earlier. The service was a chained Server Message Block listener, allowing Cobalt Strike commands to be passed to the server and other computers on the network. Using Windows Management Interface, the attackers remotely executed a new Cobalt Strike beacon on the same server.

In short order, other malicious services were created on two other servers using the same admin credentials, using Windows Management Instrumentation from the initially compromised PC. One of the services configured was an encoded PowerShell command creating yet another Cobalt communications pipe.

The actors continued to perform reconnaissance activities from the initially infected desktop, executing commands trying to identify potential targets for further lateral movement. Many of these repeated previous commands. The nltest command was used in an attempt to retrieve data from domain controllers on other domains within the enterprise Active Directory tree. Other commands pinged specific servers, attempting to gain IP addresses. The actors also checked against all mapped network shares connected to the workstation and used WMI to check for active Remote Desktop sessions on another domain controller within the Active Directory tree.

Sophos Scanner

Setting the trap

Late Wednesday afternoon—less than a day after the victim’s click on the phish— the Ryuk actors began preparations to launch their ransomware. Using the beachhead on the initially compromised PC, the attackers used RDP to connect to the domain controller with the admin credentials obtained the day before. A folder named – Copy was dropped on the domain controller— a name consistent with a set of tools deployed in previous Ryuk attacks. A few hours later, the attackers ran an encoded PowerShell command that, accessing Active Directory data, generated a dump file called ALLWindows.csv, containing login, domain controller and operating system data for Windows computers on the network.

Next, the SystemBC malicious proxy was deployed on the domain controller. SystemBC is a SOCKS5 proxy used to conceal malware traffic that shares code and forensic markers with other malware from the Trickbot family. The malware installed itself (as itvs.exe), and created a scheduled job for the malware, using the old Windows task scheduler format in a file named itvs.job—in order to maintain persistence.

A PowerShell script loaded into the folder on the domain controller was executed next. This script, Get.DataInfo.ps1 , scans the network and provides an output of which systems are active. It also checks which AV is running on the system.

The Ryuk actors used a number of methods to attempt to spread files to additional servers, including file shares, WMI, and Remote Desktop Protocol clipboard transfer. WMI was used to attempt to execute GetDataInfo.ps1 against yet another server.

Failure to launch

Thursday morning, the attackers spread and launched Ryuk. This version of Ryuk had no substantial changes from earlier versions we’ve seen in terms of core functionality, but Ryuk’s developers did add more obfuscation to the code to evade memory-based detections of the malware.

Use Advanced Protection Against Ransomware

The organizational backup server was among the first targeted. When Ryuk was detected and stopped on the backup server, the attackers used the icacls command to modify access control, giving them full control of all the system folders on the server.

They then deployed GMER, a “rootkit detector” tool:

GMER is frequently used by ransomware actors to find and shut down hidden processes, and to shut down antivirus software protecting the server. The Ryuk attackers did this, and then they tried again. Ryuk ransomware was redeployed and re-launched three more times in short order, attempting to overwhelm remaining defenses on the backup server.

Ransom notes were dropped in the folders hosting the ransomware, but no files were encrypted.

In total, Ryuk was executed in attacks launched from over 40 compromised systems,but was repeatedly blocked by Sophos Intercept X. By noon on Thursday, the ransomware portion of the attack had been thwarted. But the attackers weren’t done trying—and weren’t off the network yet.

On Friday, defenders deployed a block across the domains affected by the attack for the SystemBC RAT. The next day, the attackers attempted to activate another SOCKS proxy on the still-compromised domain controller. And additional Ryuk deployments were detected over the following week—along with additional phishing attempts and attempts to deploy Cobalt Strike.

Lessons learned

The tactics exhibited by the Ryuk actors in this attack demonstrate a solid shift away from the malware that had been the basis of most Ryuk attacks last year (Emotet and Trickbot). The Ryuk gang shifted from one malware-as-a-service provider (Emotet) to another (Buer Loader), and has apparently replaced Trickbot with more hands-on-keyboard exploitation tools—Cobalt Strike, Bloodhound, and GMER, among them—and built-in Windows scripting and administrative tools to move laterally within the network. And the attackers are quick to change tactics as opportunities to exploit local network infrastructure emerge—in another recent attack Sophos responded to this month, the Ryuk actors also used Windows Global Policy Objects deployed from the domain controller to spread ransomware. And other recent attacks have used another Trickbot-connected backdoor known as Bazar.

The variety of tools being used, including off-the-shelf and open-source attack tools, and the volume and speed of attacks is indicative of an evolution in the Ryuk gang’s operational skills. Cobalt Strike’s “offensive security” suite is a favorite tool of both state-sponsored and criminal actors, because of its relative ease of use and broad functionality, and its wide availability—“cracked” versions of the commercially-licensed software are readily purchased in underground forums. And the software provides actors with a ready-made toolkit for exploitation, lateral movement, and many of the other tasks required to steal data, escalate the compromise and launch ransomware attacks without requiring purpose-made malware.

While this attack happened quickly, the persistence of the attacks following the initial failure of Ryuk to encrypt data demonstrate that the Ryuk actors—like many ransomware attackers—are slow to unlatch their jaws, and can persist for long periods of time once they’ve moved laterally within the network and can establish additional backdoors. The attack also shows that Remote Desktop Protocol can be dangerous even when it is inside the firewall.

IOCs for this attack are posted on the SophosLabs GitHub here.

Sophos Intercept X Trial

SophosLabs would like to acknowledge the contributions of Peter Mackenzie, Elida Leite, Syed Shahram and Bill Kearney of the MTR team, and Anand Aijan, Sivagnanam Gn, and Suraj Mundalik of SophosLabs to this report.