Identification
Types of malware infection and their common symptoms.
If your symptoms match or are similar to those listed, follow the steps in the corresponding workflow.
Symptoms of a ransomware infection
-
You can't access some files on your devices:
- The file is missing.
- Attempting to open the file results in an error.
-
Files have a custom extension or a different extension or file name than before.
- The wallpaper has changed to a ransom note or your device is locked.
- You upload a suspected file to ID Ransomware and it gives you a ransomware type name.
- A CryptoGuard detection, as explained in CryptoGuard detections and required actions.
Go to Ransomware remediation workflow.
Symptoms of a TrickBot or Emotet infection
If you've got active outbreaks of Emotet and TrickBot, you may see the following detections in Sophos Enterprise Console or Sophos Central.
HPmal/Emotet-C
HPmal/TrikBot-G
Mal/EncPk-AN
HPmal/Crushr-AU
Troj/Inject-DTW
Troj/LnkRun-T
You may also see the following detections, although these aren't exclusive to Emotet or TrickBot:
Mal/Generic-R
Mal/Generic-S
ML/PE-A
Code Cave
APC Violation
Safe Browsing
LoadLib
Another indication of an Emotet or TrickBot infection is the presence of additional unknown services created on the device with random numeric names.
The example below shows four Emotet or TrickBot services (other infected devices may have more) on a compromised device.
Go to TrickBot or Emotet remediation workflow.
Symptoms of a coin miner infection
If you've got an active coin miner infection, you may see the following:
- A device has excessive CPU/RAM usage, even when the device is idle.
- A device slows down drastically. Or a device slows down intermittently not linked to user actions.
- PowerShell spikes the CPU on devices rendering them useless.
- Locked accounts.
-
PowerShell execution is detected and terminated by Sophos with at least one of the following flags:
AMSI/Miner-B
AMSI/Miner-C
HPmal/WMIPOW-A
HPmal/HPWMIJS-A
HPmal/mPShl32-A
HPmal/mPShl64-A
HPmal/HPWMIJS-A
-
A CredGuard alert, in Sophos Central or on the device, with the following message:
"We prevented credential theft in Windows PowerShell”
.
Go to Coin miners remediation workflow.
Symptoms of a malicious LNK worm
If you've got an active malicious LNK worm, you may see the following:
- There are legitimate-looking files with an extension
.LNK
repeatedly generated on your file shares. - Sophos is detecting or cleaning
.LNK
files. - Users are complaining that legitimate LNK shortcuts aren't working correctly.