ProLock ransomware emerged on the threat scene in March, a retooled and rebranded version of PwndLocker.
Applies to the following Sophos products and versions Central Endpoint Intercept X 2.0.14, Central Server Intercept X 2.0.8, Enterprise Console 5.5.1, Exploit Prevention, Sophos Central Admin What to do Sophos Central Please note that CryptoGuard exclusions in Sophos Central are applied to your whole estate once they’re saved.
Kaspersky File Shredder detected as ransomware by Sophos Intercept X / Exploit Prevention Due to the process used by Kaspersky File Shredder, the action will trigger a ransomware detection. Kaspersky will report that it has successfully deleted the requested files, even though they are still present. Intercept X includes advanced anti-ransomware capabilities that detect and block the malicious encryption processes used in ransomware attacks. Files that have been encrypted will be rolled back to a safe state, minimizing any impact to business productivity.
As SophosLabs reveals in its detailed analysis, while ProLock ransomware gives you the first eight kilobytes of decryption for free, it can still cause significant business disruption and economic damage.
Protect against ProLock with Sophos Intercept X
Intercept X gives you multiple layers of protection against ProLock, keeping the data on your endpoints and servers safe:
- CryptoGuard identifies and rolls back the unauthorized encryption of files. In fact, Sophos first detected ProLock when CryptoGuard caught it on a customer network
- Deep learning identifies and blocks ProLock without signatures
- Signatures block variants of ProLock either as Troj/Agent-BEKP or Malware/Generic-S
If you’re running Sophos Intercept X you can relax knowing that you are automatically protected against ProLock, as all three of the above features are enabled by default in our recommended settings.
(If you’re not yet running Intercept X and want to give it a try, visit the web page to learn more and start a no-obligation free trial.)
To check that you have CryptoGuard and Deep Learning enabled:
- Open your Sophos Central Admin console and select Endpoint Protection in the left-hand menu
- Select Policies
- Review the list of threat protection policies already created
- Toggle the buttons to make any necessary changes
Endpoint protection and firewall best practices to block ransomware
51% of IT managers surveyed for our recent State of Ransomware 2020 report said their organization was hit by ransomware last year, and that cybercriminals succeeded in encrypting data in 73% of incidents.
With stats like these it’s worth taking the time to ensure all your ransomware defenses are up-to-date.
The earliest detection of ProLock by Sophos was traced to a compromised server, most likely through an exploit of a Remote Desktop Protocol (RDP).
Putting RDP access behind a virtual private network and using multi-factor authentication for remote access are just a couple of the best practices we recommend to reduce your ransomware risk.
Sophos Intercept X Ransomware Download
Sophos Intercept X Ransomware
For additional best practices, take a look at our guides Endpoint Protection Best Practices to Block Ransomware and Firewall Best Practices to Block Ransomware.