Ransomware Tactic Shift: Remote Encryption Becomes New Weapon

Today, cybersecurity leader Sophos unveiled a report titled “CryptoGuard: An Asymmetric Approach to the Ransomware Battle,” revealing that prominent ransomware groups such as Akira, ALPHV/BlackCat, LockBit, Royal, and Black Basta are intentionally activating remote encryption in their attacks. Remote encryption, or remote ransomware, involves exploiting a compromised endpoint to encrypt data on other connected devices.

Sophos CryptoGuard, an anti-ransomware technology acquired in 2015, is an integral part of Sophos Endpoint licenses. This unique defense system monitors and protects against malicious file encryption, even if the ransomware itself doesn’t appear on the protected device. The report highlights a significant 62% year-over-year increase in intentional remote encryption attacks since 2022.

Mark Loman, Sophos’ Vice President of Threat Research and co-creator of CryptoGuard, emphasizes the vulnerability of networks where just one underprotected device can compromise the entire system. He notes that remote encryption poses a persistent threat, with attackers actively seeking weak spots.

Traditional anti-ransomware methods fail to detect remote attacks due to the encryption occurring on devices not running security software. In contrast, Sophos CryptoGuard employs a novel approach, inspecting file contents for signs of manipulation and encryption. This autonomous strategy doesn’t rely on threat signatures, artificial intelligence, or prior knowledge, changing the power dynamics between attackers and defenders.

Loman recalls the emergence of remote encryption with CryptoLocker in 2013, foreseeing it as a challenge. Unlike other solutions, CryptoGuard targets the files themselves, applying mathematical scrutiny to detect manipulation and encryption. This file-centric approach increases the complexity for attackers, dissuading them from successfully encrypting data.

Remote ransomware remains a significant issue for organizations, contributing to the persistence of ransomware threats. Attackers, like LockBit and Akira, strategically encrypt only portions of files to maximize impact in minimal time. Sophos’ anti-ransomware technology addresses both remote attacks and those encrypting only a fraction of files, aiming to empower defenders to safeguard their devices effectively.

Related Posts