Sophos Discovers Ransomware Abusing “Sophos” Name
Attackers will sometimes use the name of security companies in their malware. While performing a regular search on VirusTotal looking for interesting malware and new ransomware variants using our threat hunting rules this week, a Sophos X-Ops analyst discovered a novel ransomware executable that appears to use “Sophos” in the UI of the panel alerting that files have been encrypted, (shown below) and as the extension (“.sophos”) for encrypted files.
The SophosLabs teams immediately investigated and began work on developing a targeted detection rule for Sophos endpoint security products, but a pre-existing behavioral rule (and Sophos CryptoGuard) blocked the ransomware from causing harm in tests. This targeted detection rule has been released as indicated in “Detections,” below.
The Ministry of Defence, which accounts for almost half of the emails associated with the gov.uk domain, said: “We are aware of a data breach from a third party involving the details of MoD employees. None of the data was sensitive and all details have now been removed.”
The National Cyber Security Centre is understood to be aware of the leak and unconcerned about its potential impact.
A spokesperson for the Nuclear Decommissioning Authority (NDA) said: “Employee email addresses may be available in the public domain for a variety of reasons, which is why we provide ongoing training and awareness for staff of the risks associated with phishing emails.”
The Pensions Regulator told Recorded Future News: “We take cyber security extremely seriously and have controls in place to prevent malicious emails from infiltrating our systems.”
Sophos Discovers Ransomware Abusing “Sophos” Name
