SECURITY NEWS
Active ransomware groups using remote encryption for attacks finds Sophos
Sophos , a global vendor in innovating and delivering cybersecurity as a service , released a report , titled CryptoGuard : An Asymmetric Approach to the Ransomware
Battle , which found that some of the most prolific and active ransomware groups , including Akira , ALPHV , BlackCat , LockBit , Royal , Black Basta , are deliberately switching on remote encryption for their attacks . In remote encryption attacks , also known as remote ransomware , adversaries leverage a compromised and often underprotected endpoint to encrypt data on other devices connected to the same network .
Sophos CryptoGuard is the antiransomware technology that Sophos acquired in 2015 and is included in all Sophos Endpoint licenses . CryptoGuard monitors the malicious encryption of files and provides immediate protection and rollback capabilities , including when the ransomware itself never appears on a protected host .
The unique anti-ransomware technology is a last line of defence in Sophos ’ layered endpoint protection , only activating if an adversary triggers it later in the attack chain . CryptoGuard detected a 62 % year-over-year increase in intentional remote encryption attacks since 2022 .
“ Companies can have thousands of computers connected to their network , and with remote ransomware , all it takes is one underprotected device to compromise the entire network . Attackers know this , so they hunt for that one weak spot and most companies have at least one . Remote encryption is going to stay a perennial problem for defenders , and based , on the alerts we ’ ve seen , the attack method is steadily increasing ,” said Mark Loman , Vice President , Threat Research at Sophos , and co-creator of CryptoGuard .
Since this type of attack involves encrypting files remotely , traditional antiransomware protection methods deployed on remote devices do not see the malicious files or their activity , failing to protect them from unauthorised encryption and potential data loss .
In 2013 , CryptoLocker was the first prolific ransomware to utilise remote encryption with asymmetric encryption , also known as public-key cryptography . Since then , adversaries have been able to escalate the use of ransomware , due to ubiquitous , ongoing security gaps at organisations worldwide and the advent of cryptocurrency .
“ When we first noticed CryptoLocker taking advantage of remote encryption ten years ago , we foresaw that this tactic was going to become a challenge for defenders . Other solutions focus on detecting malicious binaries or execution . In the case of remote encryption , the malware and execution reside on a different computer , unprotected than the one having the files encrypted . The only way to stop it is watching the files and protecting them . That is why we innovated CryptoGuard ,” said Loman .
CryptoGuard does not hunt for ransomware ; instead , it zeroes in on
Mark Loman , Vice President , Threat Research at Sophos , and co-creator of CryptoGuard
the primary targets , the files . It applies mathematical scrutiny to documents , detecting signs of manipulation and encryption . Notably , this autonomous strategy deliberately does not depend on indicators of breach , threat signatures , artificial intelligence , cloud lookups , or prior knowledge to be effective .
By focusing on the files , we can change the power balance between the attackers and the defenders . We are increasing the cost and complexity for the attackers to successfully encrypt data , so that they will abandon their objectives . This is a part of our asymmetric defence approach strategy .
Remote ransomware is a prominent problem for organisations , and it is contributing to the longevity of ransomware in general . Given that reading data over a network connection is slower than from a local disk , we have seen attackers , like LockBit and Akira , strategically encrypt only a fraction of each file .
This approach aims to maximise impact in minimal time , further reducing the window for defenders to notice the attack and respond . Sophos ’ approach to antiransomware technology stops both remote attacks and those that encrypt just 3 % of a file .
12 www . intelligenttechchannels . com