Skip to content

Deal with ransomware

This is what happens when we detect ransomware and what to do about it.

If you know a detection is a false positive, see Deal with false positives.

When we detect ransomware:

  • We check whether it's a legitimate application like a file/folder encryption product. If it isn't, we stop it running.
  • Files are restored to their pre-modification state.
  • The end user is notified.
  • A threat graph is generated. This helps you decide whether to take additional actions.
  • A scan checks all processes in memory for suspicious behavior.
  • The device's health state returns to Green.

For more information see Alerts.

What to do if you see “Ransomware detected”

If you still need to clean up, do as follows:

  • If automatic sample submission isn't enabled, send us a sample of the ransomware. We'll classify it and update our rules: if it's malicious, Sophos Central will block it in future. See How to submit samples of suspicious files to Sophos.
  • Move the computer temporarily to a network where it is not a risk to other computers. Go to the computer and run Sophos Clean (if it isn't installed, download it from our website).

    You can run Sophos Clean on a server from Sophos Central.

  • Go to Sophos Central, go to Alerts, and mark the alert as resolved.

What to do if you see "Remotely-run ransomware detected"

We detected ransomware running on a remote computer and trying to encrypt files on network shares.

We have blocked write access to the network shares from the remote computer's IP address. If the computer with that address is a workstation managed by Sophos Central, and Protect document files from ransomware (CryptoGuard) is enabled, we clean up the ransomware automatically.

You need to do as follows:

  • Find the computer where the ransomware is running.
  • If the computer is managed by Sophos Central, make sure that Protect document files from ransomware (CryptoGuard) is enabled in the policy.
  • If cleanup doesn’t happen automatically: Move the computer to a network where it is not a risk to other computers. Then go to the computer and run Sophos Clean (if it isn't installed, download it from our website).
  • Go to Sophos Central, go to Alerts, and mark the alert as resolved.

What to do if you see "Ransomware attacking a remote machine detected"

We have detected that this computer is trying to encrypt files on other computers.

We have blocked the computer's write access to the network shares. If the computer is a workstation, and Protect document files from ransomware (CryptoGuard) is enabled, we clean up the ransomware automatically.

You need to do as follows:

  • Make sure that Protect document files from ransomware (CryptoGuard) is enabled in the Sophos Central policy. This provides more information.
  • If cleanup doesn’t happen automatically: Move the computer to a network where it is not a risk to other computers. Then go to the computer and run Sophos Clean (if it isn't installed, download it from our website).
  • Go to Sophos Central, go to Alerts, and mark the alert as resolved.