WSL: How Linux Ransomware Bypass AV on a Windows Device (unless SentinelOne is installed)

WSL (Windows Subsystem for Linux) lets administrators run Linux environments and command-line tools directly on Windows machines without the need to use virtualization platforms. WSL also opens a new attack surface and enables AV bypass by skipping Windows user mode hooks. This video demonstrates how SentinelOne agent detects an abuse of the WSL architecture – an open source ransomware named GonnaCry encrypts files at C: drive user’s folder and immediately detected. Visit https://www.sentinelone.com/

-~-