Sophos Rapid Response identifies first use of Buer Malware Dropper in Windows PC

Cybersecurity solutions firm Sophos has identified the first known use of the Buer malware dropper to deliver ransomware using its new tool called Sophos Rapid Response.

In the new research published from Sophos Rapid Response and SophosLabs, “Hacks for Sale: Inside the Buer Loader Malware-as-a-Service,” the security researchers details how Buer compromises Windows PCs and enables attackers to deliver a payload.

Sophos Rapid Response made the discovery while mitigating a recent Ryuk ransomware attack, which was detected and stopped as part of a wave of Ryuk attacks using new tools, techniques, and procedures. In this incident, the relentless attackers used a new variant of Buer in an attempt to launch Ryuk ransomware, before expanding their efforts to mix the use of Buer with other types of loader malware.

Sophos uncovers multi-faceted techniques attackers use in new Ryuk ransomware

Sophos reports sharp rise in new email phishing scams

One of the challenges in cybersecurity is early detection. But there are times when security teams discover the threat a little too late. This is one of the reasons that cybersecurity solutions firm Sophos developed and is now making its Sophos Rapid Response available.

“When you’re hit with an attack, time is of the essence. Every minute between initial compromise and neutralization counts as adversaries race through the attack lifecycle,” said Joe Levy, chief technology officer at Sophos.

Sophos Rapid Response, considered to be an industry-first, fixed-fee remote incident response service that identifies and neutralizes active cybersecurity attacks throughout its entire 45-day term of engagement.

It provides organizations with a dedicated 24/7 team of incident responders, threat hunters, and threat analysts to quickly stop advanced attacks and remove adversaries from their networks, minimizing damage and costs, and reducing recovery time.

IDC MarketScape names Sophos a leader in mobile threat management

Sophos uncovers multi-faceted techniques attackers use in new Ryuk ransomware

“Advanced attacks can quickly halt business operations and IT managers who have experienced ransomware first hand know this all too well, reporting the need to spend proportionately more time on incident response and less time on threat prevention than those who haven’t been hit,” Levy said. “Sophos Rapid Response disrupts active attacks, eliminating the complex and time-consuming process of stopping determined attackers, so organizations can get back to their normal operations faster.”

Security incidents

Sophos Rapid Response neutralizes a wide range of security incidents, including ransomware, network breaches, hands-on keyboard adversaries, and more. The Sophos Rapid Response team can be onboarded and activated within hours, and the majority of attacks triaged within 48 hours.

“This year, devastating ransomware attacks have unfortunately been a gold rush for cybercriminals, and it’s unlike anything the cybersecurity industry has ever experienced,” said Peter Mackenzie, incident response manager at Sophos. “Nearly 85% of the attacks that Sophos Rapid Response has been involved in thus far included ransomware (notably Ryuk, REvil, and Maze) and I can say with confidence that most of the other attacks that we were called in to stop would have also resulted in ransomware had we not acted so quickly.”

Sophos MTR

Sophos Rapid Response is part of Sophos Managed Threat Response (MTR), a global team that provides proactive, fully managed threat hunting, detection, and response services. Sophos’ managed detection and response (MDR) services more than 1,400 customers.


Once immediate threats are neutralized during a Rapid Response engagement, the Sophos Rapid Response program shifts to continuous monitoring with around-the-clock proactive threat hunting, investigation, detection, and response from the Sophos MTR team. A threat investigation report details discoveries made, actions are taken and other remediation recommendations, helping organizations understand attack origination as well as what assets were compromised, and data accessed and exfiltrated.