Prolific Ransomware Groups Intentionally Switch on Remote Encryption for Attacks, Sophos Finds
Sophos has today released a report, titled “CryptoGuard: An Asymmetric Approach to the Ransomware Battle,” which found that some of the most prolific and active ransomware groups, including Akira, ALPHV/BlackCat, LockBit, Royal, Black Basta, are deliberately switching on remote encryption for their attacks. In remote encryption attacks, also known as remote ransomware, adversaries leverage a compromised and often under protected endpoint to encrypt data on other devices connected to the same network.
Sophos CryptoGuard is the anti-ransomware technology that Sophos acquired in 2015* and is included in all Sophos Endpoint licenses. CryptoGuard monitors the malicious encryption of files and provides immediate protection and rollback capabilities, including when the ransomware itself never appears on a protected host. The unique anti-ransomware technology is a last line of defense in Sophos’ layered endpoint protection, only activating if an adversary triggers it later in the attack chain. CryptoGuard detected a 62% year-over-year increase in intentional remote encryption attacks since 2022.
“Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one under protected device to compromise the entire network. Attackers know this, so they hunt for that one ‘weak spot’—and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders, and based, on the alerts we’ve seen, the attack method is steadily increasing,” said Mark Loman, vice president, threat research at Sophos, and the co-creator of CryptoGuard.
Since this type of attack involves encrypting files remotely, traditional anti-ransomware protection methods deployed on remote devices don’t “see” the malicious files or their activity, failing to protect them from unauthorized encryption and potential data loss. Sophos CryptoGuard technology, however, takes an innovative approach to stopping remote ransomware, as explained in the Sophos X-Ops article: analyzing the contents of files to see if any data became encrypted to detect ransomware activity on any device in a network, even if there is no malware on the device.
Follow us on Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to info@techtrendske.co.ke
