Sophos announced the availability of Sophos Rapid Response, an industry-first, fixed-fee remote incident response service that identifies and neutralizes active cybersecurity attacks throughout its entire 45-day term of engagement. Sophos Rapid Response provides organizations with a dedicated 24/7 team of incident responders, threat hunters and threat analysts to quickly stop advanced attacks and remove adversaries from their networks, minimizing damage and costs, and reducing recovery time.
Sophos Rapid Response has
identified the first known use of the Buer malware dropper to deliver
ransomware. In new research published today from Sophos Rapid Response
and SophosLabs, “Hacks for
sale: Inside the Buer Loader Malware-as-a-Service,” Sophos
details how Buer compromises Windows PCs, and enables attackers to
deliver a payload. Sophos Rapid Response made the discovery while
mitigating a recent Ryuk ransomware attack, which was detected
and stopped as part of a wave of Ryuk attacks using new tools,
techniques and procedures. In this incident, the relentless attackers
used a new variant of Buer in an attempt to launch Ryuk ransomware,
before expanding their efforts to mix the use of Buer with
other types of loader malware.
“When
you’re hit with an attack, time is of the essence. Every minute between
initial compromise and neutralization counts as adversaries race
through the attack lifecycle,” said
Joe Levy, chief technology officer at Sophos. “Advanced attacks can quickly halt business operations, and
IT managers who have experienced ransomware first hand know this all too well, reporting the need to spend proportionately more time on incident response and less time on
threat prevention than those who haven’t been hit. Sophos Rapid Response disrupts
active attacks,
eliminating the complex and time consuming process of stopping
determined attackers, so organizations can get back to their normal
operations faster.”
Sophos
Rapid Response neutralizes a wide range of security incidents,
including ransomware, network breaches, hands-on keyboard adversaries,
and more. The Sophos Rapid Response team can
be onboarded and activated within hours, and the majority of attacks
triaged within 48 hours.
“This year, devastating ransomware attacks have unfortunately
been a gold rush for cybercriminals, and it’s unlike anything the
cybersecurity industry has ever experienced. Nearly 85% of the attacks
that Sophos Rapid Response has been involved in thus
far included ransomware – notably Ryuk, REvil and Maze
– and I can say with confidence that most of the other attacks that we
were called in to stop would have also resulted in ransomware had we not
acted so quickly,” said Peter Mackenzie, incident response manager at
Sophos. “Readily accessible tools make it
possible for attackers to net bigger pay-outs in one week’s worth of
work than most people will make in their lifetime. Criminals infiltrate
networks and stealthily plan their attacks in the background, before
strategically launching ransomware as the final
payload – often during the overnight hours when no one is watching in
order to execute on as many machines as possible. Sophos Rapid Response
takes immediate action to extinguish the fire, which in the case of a
hospital that we helped this month after it
was hit by Ryuk ransomware and forced to shut down, meant the
difference of life or death.”
Sophos Rapid Response is part of
Sophos Managed Threat Response (MTR), a global team that provides
proactive, fully-managed threat hunting, detection and response services.
As one of the industry’s
most widely used managed detection and response (MDR) services with more
than 1,400 customers, Sophos MTR stands apart with its ability to
proactively take action on an organization’s behalf to mitigate
threats in real time.
Once
immediate threats are neutralized during a Rapid Response engagement,
the Sophos Rapid Response program shifts to continuous monitoring with
around-the-clock proactive threat hunting,
investigation, detection, and response from the Sophos MTR team. A
threat investigation report details discoveries made, actions taken and
other remediation recommendations, helping organizations understand
attack origination as well as what assets were compromised,
and data accessed and exfiltrated.
Sophos
Rapid Response is available now to both existing and non-Sophos
customers. Unlike traditional incident response and forensic services
that require complex and protracted deployments
with hourly pricing structures, Sophos Rapid Response is a remote
offering with a fixed pricing model based on an organization’s number of
users and servers. Sophos Rapid Response is also structured to
accommodate businesses of all sizes, including smaller
organizations, which until now have not been able to easily leverage a
service such as this without requiring a retainer.