Sophos reports spike in ransomware groups using remote encryption
Sophos has released a revealing report titled 'CryptoGuard: An Asymmetric Approach to the Ransomware Battle'. The report brings to light the trend of some of the most active and prolific ransomware groups intentionally switching on remote encryption for their attacks. Notable among these groups are Akira, ALPHV/BlackCat, LockBit, Royal, and Black Basta.
Describing the processes of remote encryption attacks or remote ransomware, the report highlights the use of compromised and often inadequately protected endpoints by adversaries. These are used to encrypt data on other devices within the same network.
The CryptoGuard anti-ransomware technology, a part of all Sophos Endpoint licenses, helps to monitor these malicious encryptions and provides immediate protection and rollback potentials. This technology only gets activated if triggered by an adversary later in the attack chain.
The data acquired by CryptoGuard shows a significant 62% annual increase in intentional remote encryption attacks since 2022.
According to Mark Loman, the vice president of threat research at Sophos and the co-creator of CryptoGuard, "Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one under-protected device to compromise the entire network."
"Attackers know this, so they hunt for that one weak spot and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders, and, based on the alerts we've seen, the attack method is steadily increasing."
Traditional anti-ransomware protection methods fail to shield remote devices from these attacks as they often do not detect the malicious files or their activities. CryptoGuard technology, on the other hand, employs an innovative approach: it observes changes in file contents to see if any data was encrypted, signalling ransomware activity. This process works even if there's no malware present on the device itself.
The report traces the origin of remote encryption to circa 2013 when CryptoLocker employed it along with asymmetric encryption, also known as public-key cryptography.
"When we first noticed CryptoLocker taking advantage of remote encryption 10 years ago, we foresaw that this tactic was going to become a challenge for defenders. Other solutions focus on detecting malicious binaries or execution. In the case of ransomware using remote encryption, the malware and execution reside on a different computer (unprotected) than the one having the files encrypted. The only way to stop it is by watching the files and protecting them. That's why we innovated CryptoGuard," explained Loman.
CryptoGuard targets not the ransomware but the files, the actual targets of the attacks. It applies mathematical analysis to documents to detect any changes or encryption.
Not relying on breach indicators, threat signatures, artificial intelligence, cloud lookups or prior knowledge, it focuses on the files to turn the table on the attackers, increasing their costs and complexities, thereby dissuading them from encrypting data. This is part of Sophos's asymmetric defense approach strategy.
The report concludes by discussing the sustained gravity of remote ransomware attacks. Noting the strategies employed by attackers to maximise impact in the least amount of time, it emphasizes the necessity for proper protection measures against this persistent attack method. It concludes by expressing the hope that this study will provide valuable insights to defenders, enabling them to protect their devices more effectively.