Ransomware groups activate remote encryption intentionally: Sophos

News Desk -

Share

Sophos, a globally recognized leader in the field of cybersecurity as a service, has unveiled a new report titled “CryptoGuard: An Asymmetric Approach to the Ransomware Battle” The report highlights a deliberate trend among prominent ransomware groups such as Akira, ALPHV/BlackCat, LockBit, Royal, and Black Basta, wherein they employ remote encryption during their attacks. Remote encryption, also known as remote ransomware, involves exploiting a compromised and often inadequately protected endpoint to encrypt data on other devices connected to the same network.

Sophos CryptoGuard, an anti-ransomware technology acquired by Sophos in 2015 and integrated into all Sophos Endpoint licenses, serves as a crucial element in the company’s layered endpoint protection. This technology monitors and safeguards against the malicious encryption of files, offering immediate protection and rollback capabilities, even in cases where the ransomware itself doesn’t manifest on a protected host. The report reveals a significant 62% year-over-year increase in intentional remote encryption attacks since 2022.

Mark Loman, Vice President of Threat Research at Sophos and co-creator of CryptoGuard, emphasized the vulnerability posed by remote ransomware, stating that a single underprotected device within a network can compromise the entire system. Given the observed increase in remote encryption attacks, he anticipates this method to persist as a perennial challenge for defenders.

Traditional anti-ransomware protection methods deployed on remote devices often fail to detect malicious files or their activities, leaving them susceptible to unauthorized encryption and potential data loss. However, Sophos CryptoGuard employs an innovative approach by analyzing file contents to detect signs of encryption, irrespective of the presence of malware on the device. This method stands in contrast to conventional solutions that focus on detecting malicious binaries or execution.

The report traces the origin of remote encryption tactics back to CryptoLocker in 2013, which utilized asymmetric encryption (public-key cryptography). Loman noted that Sophos anticipated the challenge posed by remote encryption a decade ago and innovated CryptoGuard to specifically target files, changing the power balance between attackers and defenders. Unlike other solutions, CryptoGuard’s autonomous strategy does not rely on indicators of breach, threat signatures, artificial intelligence, cloud lookups, or prior knowledge for effectiveness.

Loman emphasized that CryptoGuard’s focus on files enhances the complexity and cost for attackers attempting to encrypt data successfully. This approach is aligned with Sophos’ asymmetric defense strategy, aiming to empower defenders and disrupt attackers’ objectives. Remote ransomware remains a significant issue for organizations, contributing to the enduring prevalence of ransomware. Sophos’ anti-ransomware technology addresses both remote attacks and those targeting a minimal portion of a file, providing valuable insights to defenders for comprehensive protection.

For additional details, the report “CryptoGuard: An Asymmetric Approach to the Ransomware Battle” is available on Sophos.com.