New Sophos Report Exposes How Attackers are Executing Ransomware in Hours

OXFORD, U.K. — 十一月 14, 2023 —

Sophos, a global leader in innovating and delivering cybersecurity as a service, today introduced several new solutions that advance critical defenses against active adversaries. Sophos exposes how these active adversaries are now carrying out ransomware “fast” attacks in mere hours in “The 2023 Active Adversary Report for Security Practitioners” also published today.

The Sophos X-Ops report showcases the forensics of fast smash-and-grab ransomware attacks and the precise tactics, techniques and procedures (TTPs) attackers are using to operate in this new high-speed attack mode – including preferred living-off-the-land binaries (LOLBins) and other tools and behaviors that get them close to crucial resources that they want to exploit. This evidence in the report and detailed explanations of how certain attacks unfold demonstrates the need for regularly adapted security solutions to protect, detect and disrupt intrusions as fast as possible on the attack chain.

“In the face of fast-moving adversaries who are continuously evolving their TTPs – and often blend the use of legitimate tools – to execute multistage attacks, cybersecurity defenses need to be dynamic and foresightful,” said Raja Patel, chief product officer at Sophos. “Sophos is taking a proactive, protection-first approach to stopping threats at the front door before they escalate. We’re evolving products with industry-first security capabilities that are powered by Sophos X-Ops’ deep threat intelligence from more than half a million organizations globally to identify and counter threats at speed and scale.”

The new innovative capabilities include:

  • New Sophos Firewall v20 software with Active Threat Response: automatically shuts down attacks and blocks active adversaries from entering networks, all without having to add firewall rules. If administrators, for example, are alerted to a Cobalt Strike beacon, which Sophos X-Ops frequently sees attackers using, as indicated in the new Active Adversary Report for Security Practitioners, they can add its destination to the ad-hoc blocklist and the rest of the network will be prevented from accessing that IP address, domain or URL.This new version of Sophos Firewall software also includes an integrated Zero Trust Network Access (ZTNA) gateway that makes it easy for organizations to provide modern secure remote access to applications behind the firewall; network scalability enhancements to support distributed enterprises; and ease of use management enhancements
  • Sophos Network Detection and Response (NDR) with Extended Detection and Response (XDR): Sophos NDR is now available for Sophos XDR and Sophos Managed Detection and Response (MDR) customers to extend their threat detection capabilities to the network. Sophos NDR monitors activity deep inside the network for suspicious and malicious traffic patterns that could signal an attack and detects a wide range of security risks, including rogue and unprotected devices, insider threats, undetected zero-day attacks, and threats targeting internet of things (IoT) and operational technology (OT)
  • Sophos XDR enhancements: connects security data across multiple sources to detect threatsfaster and stop active adversaries sooner​. An expanded set of third-party integrations makes it easy to collect, enrich and combine telemetry across endpoint, firewall, cloud, identity, network, and email solutions. Enhanced security operations and analyst workflow and case management features also enable customers to filter out noisy and redundant alerts, gain complete visibility from a single console and reduce workloads with automated response actions

“As attackers speed up their attack timelines, one of the best things organizations can do is increase friction whenever possible; in other words, if their systems are well maintained, attackers must do more to subvert them. That takes time and increases the detection window,” said John Shier, field chief technology officer at Sophos. “Robust, layered defenses create more friction, increasing the skill level the attacker needs to bring to the table. Many simply won't have what it takes and will move on to easier targets.”


The new Sophos Firewall software is available for immediate purchase exclusively through Sophos’ global channel of partners and managed service providers (MSPs), and as a complimentary upgrade for all licensed firewall customers. New Sophos NDR and XDR third-party integration packs will also be available by the end of November.

Users can easily manage Sophos solutions in the cloud-native Sophos Central platform, where Sophos’ portfolio of security products and managed services share information to automatically respond to threats by isolating infected endpoints, blocking lateral attacker movement and more. Organizations can also leverage Sophos MDR as a comprehensive service to detect and respond to threats. As the world’s most widely used MDR offering with more than 19,000 customers, Sophos MDR provides 24/7 threat hunting, detection and response with industry-first third-party integration capabilities and a $1 million breach protection warranty.

Analyst and Channel Partner Quotes

“For many organizations, the desire for consolidation is growing, and we’ve seen evidence that SMBs, in particular, express a higher propensity to consolidate their purchases of multiple products with their endpoint security vendors,” said Chris Kissel, research vice president, security and trust products, at IDC. “The main driver of vendor consolidation isn’t financial; it’s security operations efficiency. Organizations can achieve better security outcomes with tools covering different facets of the security ecosystem that are designed to work together and are centrally managed by an XDR platform.”

“These new cutting-edge innovations empower us as an MSP to take a more proactive approach in locking the doors and standing up adaptive and customizable protections throughout our customers’ varied estates to keep determined attackers at bay,” said Sam Heard, president at Data Integrity Services. “Sophos is continuously updating its technology portfolio to protect against changing threats, and, as a result, we’re extremely confident in our ability to detect and respond to threats early on before they cause any damage.”

"Sophos NDR has provided a significant boost to our IT team's productivity, allowing us to focus on other projects and aspects of our cybersecurity. The fact that it protects our industrial equipment and non-Sophos endpoints is a real game changer, and having the real time ability to detect IP-based flows gives us a third-eye view of what is happening inside our network,” said Vishvas Chitale, chief information security officer and partner at Chitale Dairy. “Now, with Sophos Firewall v20 and Active Threat Response, response time is instantaneous and there’s even less involvement required by our local IT team. We can simultaneously identify compromised hosts thanks to the synchronized security heartbeat telemetry that identifies details about the infected device, including hostname, user, process or executable, and the nature of the threat. It not only improves our security response time but makes it easier to get any threat cleaned up and frees up even more of our team’s time to work on more strategic projects. Also, thanks to the new IPv6 BGP functionality in Sophos Firewall v20, we have streamlined our network routing, taking advantage of the granular BGPv6 controls in the firewall. Along with the networking and SD-WAN enhancements, we are excited to build out our datacenter network with Sophos Firewall for East-West and North-South flows. Sophos Firewall is an outstanding network security platform that provides a single pane to manage our security posture with great ease.”

关于 Sophos

Sophos 是全球领先的先进安全解决方案提供商和创新者,全面安全解决方案涵盖托管式侦测与响应 (MDR) 和事件响应服务,以及广泛的端点、网络、电子邮件和云安全技术。作为最大的纯网络安全厂商之一,Sophos 为全球超过 600,000 家企业和超过 1 亿用户提供防御主动攻击对手、勒索软件、网络钓鱼、恶意软件等威胁的保护。Sophos 的服务和产品通过 Sophos Central 管理控制台连接,并得到公司内部的跨领域威胁情报部门 Sophos X-Ops 的支持。Sophos X-Ops 情报优化整个 Sophos Adaptive Cybersecurity Ecosystem 自适应网络安全生态体系,包括一个中央数据湖,为客户、合作伙伴、开发人员和其他网络安全与信息技术供应商提供一组丰富的开放 API。Sophos为需要完全托管的安全解决方案的组织提供网络安全即服务。客户还可以直接利用 Sophos 的安全运行平台管理其网络安全,或者采用混合方法,为内部团队补充 Sophos 服务(包括威胁追踪与修复)。Sophos 通过世界各地的经销商合作伙伴和托管服务供应商 (MSP) 销售。Sophos 总部位于英国牛津。如欲了解更多信息,请访问