- Sophos Intercept X is the world’s best ransomware protection. It uses behavioral analysis to stop previously unseen ransomware and boot record attacks. Intercept X secures endpoints and servers using CryptoGuard technology, which stops both local and remote unauthorized file encryption by malicious software.
- Ransomware oftentimes called CryptoLocker, CryptoDefense or CryptoWall, is one of the most widespread and damaging threats that internet users face today. It is a family of malware that takes files on a PC or network storage, encrypts them and then extorts money to unlock the files.
This is what happens when we detect ransomware and what to do about it.
Sophos XG Firewall is packed with advanced protection to detect and block ransomware attacks and stop hackers moving laterally around your network to escalate privileges. AI-powered threat protection, including sandboxing, detects ransomware at the gateway.
If you know a detection is a false positive, see Deal with false positives.
When we detect ransomware:
- We check whether it's a legitimate application like a file/folder encryption product. If it isn't, we stop it running.
- Files are restored to their pre-modification state.
- The end user is notified.
- A threat case is generated. This helps you decide whether to take additional actions.
- A scan starts to identify and clean up any other malware on the device.
- The device's health state returns to Green.
What to do if you see “Ransomware detected”
If you still need to clean up, do as follows:
- If automatic sample submission isn't enabled, send us a sample of the ransomware. We'll classify it and update our rules: if it's malicious, Sophos Central will block it in future.
- Move the computer temporarily to a network where it is not a risk to other computers. Go to the computer and run Sophos Clean (if it isn't installed, download it from our website).
You can run Sophos Clean on a server from Sophos Central.
- Go to Sophos Central, go to Alerts, and mark the alert as resolved.
What to do if you see 'Remotely-run ransomware detected'
We detected ransomware running on a remote computer and trying to encrypt files on network shares.
We have blocked write access to the network shares from the remote computer's IP address. If the computer with that address is a workstation managed by Sophos Central, and Protect document files from ransomware (CryptoGuard) is enabled, we clean up the ransomware automatically.
Sophos Antivirus Ransomware
You need to do as follows:
- Find the computer where the ransomware is running.
- If the computer is managed by Sophos Central, make sure that Protect document files from ransomware (CryptoGuard) is enabled in the policy.
- If cleanup doesn’t happen automatically: Move the computer to a network where it is not a risk to other computers. Then go to the computer and run Sophos Clean (if it isn't installed, download it from our website).
- Go to Sophos Central, go to Alerts, and mark the alert as resolved.
What to do if you see 'Ransomware attacking a remote machine detected'
We have detected that this computer is trying to encrypt files on other computers.
We have blocked the computer's write access to the network shares. If the computer is a workstation, and Protect document files from ransomware (CryptoGuard) is enabled, we clean up the ransomware automatically.
You need to do as follows:
Sophos Ransomware Removal
- Make sure that Protect document files from ransomware (CryptoGuard) is enabled in the Sophos Central policy. This provides more information.
- If cleanup doesn’t happen automatically: Move the computer to a network where it is not a risk to other computers. Then go to the computer and run Sophos Clean (if it isn't installed, download it from our website).
- Go to Sophos Central, go to Alerts, and mark the alert as resolved.