Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/mdr/help/en-us/index.html?contextId=Identification

Identification

Types of malware infection and their common symptoms.

If your symptoms match or are similar to those listed, follow the steps in the corresponding workflow.

Symptoms of a ransomware infection

  • You can't access some files on your devices:

    • The file is missing.
    • Attempting to open the file results in an error.

  • Files have a custom extension or a different extension or file name than before.

  • The wallpaper has changed to a ransom note or your device is locked.
  • You upload a suspected file to ID Ransomware and it gives you a ransomware type name.
  • A CryptoGuard detection, as explained in CryptoGuard detections and required actions.

Go to Ransomware remediation workflow.

Symptoms of a TrickBot or Emotet infection

If you've got active outbreaks of Emotet and TrickBot, you may see the following detections in Sophos Enterprise Console or Sophos Central.

  • HPmal/Emotet-C
  • HPmal/TrikBot-G
  • Mal/EncPk-AN
  • HPmal/Crushr-AU
  • Troj/Inject-DTW
  • Troj/LnkRun-T

You may also see the following detections, although these aren't exclusive to Emotet or TrickBot:

  • Mal/Generic-R
  • Mal/Generic-S
  • ML/PE-A
  • Code Cave
  • APC Violation
  • Safe Browsing
  • LoadLib

Another indication of an Emotet or TrickBot infection is the presence of additional unknown services created on the device with random numeric names.

The example below shows four Emotet or TrickBot services (other infected devices may have more) on a compromised device.

Example of a TrickBot or Emotet attack.

Go to TrickBot or Emotet remediation workflow.

Symptoms of a coin miner infection

If you've got an active coin miner infection, you may see the following:

  • A device has excessive CPU/RAM usage, even when the device is idle.
  • A device slows down drastically. Or a device slows down intermittently not linked to user actions.
  • PowerShell spikes the CPU on devices rendering them useless.
  • Locked accounts.

  • PowerShell execution is detected and terminated by Sophos with at least one of the following flags:

    • AMSI/Miner-B
    • AMSI/Miner-C
    • HPmal/WMIPOW-A
    • HPmal/HPWMIJS-A
    • HPmal/mPShl32-A
    • HPmal/mPShl64-A
    • HPmal/HPWMIJS-A

  • A CredGuard alert, in Sophos Central or on the device, with the following message: "We prevented credential theft in Windows PowerShell”.

Go to Coin miners remediation workflow.

Symptoms of a malicious LNK worm

If you've got an active malicious LNK worm, you may see the following:

  • There are legitimate-looking files with an extension .LNK repeatedly generated on your file shares.
  • Sophos is detecting or cleaning .LNK files.
  • Users are complaining that legitimate LNK shortcuts aren't working correctly.

Go to Malicious LNK worm remediation workflow