Attacks from remote ransomware rise by 62 percent

Sophos has unveiled findings in its latest report, titled “CryptoGuard: An Asymmetric Approach to the Ransomware Battle,” indicating that several prominent ransomware groups, including Akira, ALPHV/BlackCat, LockBit, Royal, Black Basta, are deliberately activating remote encryption during their attacks.

The study reveals a 62% annual rise in the use of remote ransomware, as observed through attacks detected and thwarted by Sophos CryptoGuard Technology.

Remote encryption attacks, also termed remote ransomware, involve attackers exploiting compromised and often inadequately protected endpoints to encrypt data on other connected devices within the same network. Sophos CryptoGuard, an anti-ransomware technology acquired by Sophos in 2015 and included in all Sophos Endpoint licenses, acts as a crucial safeguard. Monitoring malicious encryption, CryptoGuard offers immediate protection and rollback capabilities, even in cases where the ransomware doesn’t manifest on a protected host. The technology detected a substantial 62% year-over-year increase in intentional remote encryption attacks since 2022.

Mark Loman, Vice President of Threat Research at Sophos and co-creator of CryptoGuard, emphasizes the vulnerability posed by one under-protected device within a network, making the entire system susceptible to compromise. Recognizing the persistence and growth of remote encryption attacks, Loman emphasizes the necessity for defenders to address this perennial issue.

Read Also: Dell Technologies Revenue Up 9 Percent In Q2 2022

Unlike traditional anti-ransomware methods that may overlook remote devices, Sophos CryptoGuard takes an innovative approach. By analyzing file contents to identify encrypted data, the technology can detect ransomware activity on any device within a network, even in the absence of malware on the device.

The report traces the evolution of remote encryption back to CryptoLocker in 2013, which pioneered the use of asymmetric encryption (public-key cryptography). Over the years, ransomware adversaries have capitalized on ongoing security gaps globally and the rise of cryptocurrency, leading to an escalation in the use of ransomware.

Loman notes that the unique approach of CryptoGuard focuses on files rather than ransomware itself. By scrutinizing documents mathematically for signs of manipulation and encryption, CryptoGuard disrupts the attackers’ objectives, increasing the cost and complexity of successfully encrypting data. This asymmetric defense strategy aims to shift the power balance in favor of defenders.

Highlighting the challenges posed by these kind of attacks, the report points out that reading data over a network connection is slower than from a local disk. Some attackers strategically encrypt only a fraction of each file, as observed in tactics employed by groups like LockBit and Akira, intending to maximize impact in minimal time. Sophos’ anti-ransomware technology, however, is designed to thwart both remote attacks and those targeting a minimal percentage of a file, providing defenders with comprehensive protection and insights into these persistent attack methods.