Cybersecurity firm Sophos impersonated by new SophosEncrypt ransomware


Level 76
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt, with the threat actors using the company name for their operation.

Discovered yesterday by MalwareHunterTeam, the ransomware was initially thought to be part of a red team exercise by Sophos.

However, the Sophos X-Ops team tweeted that they did not create the encryptor and that they are investigating its launch.

"We found this on VT earlier and have been investigating. Our preliminary findings shows Sophos InterceptX protects against these ransomware samples," tweeted Sophos.

Furthermore, ID Ransomware shows one submission from infected victims, indicating that this Ransomware-as-a-Service operation is active.

While little is known about the RaaS operation and how it is being promoted, a sample of the encryptor was found by MalwareHunterTeam, allowing us to get a quick look at how it operates.


Level 36
Top Poster
Feb 25, 2017
Attackers will sometimes use the name of security companies in their malware. While performing a regular search on VirusTotal looking for interesting malware and new ransomware variants using our threat hunting rules this week, a Sophos X-Ops analyst discovered a novel ransomware executable that appears to use “Sophos” in the UI of the panel alerting that files have been encrypted, (shown below) and as the extension (“.sophos”) for encrypted files.
The SophosLabs teams immediately investigated and began work on developing a targeted detection rule for Sophos endpoint security products, but a pre-existing behavioral rule (and Sophos CryptoGuard) blocked the ransomware from causing harm in tests. This targeted detection rule has been released as indicated in “Detections,” below.


About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.