Some of the most prolific and active ransomware groups, including Akira, ALPHV/BlackCat, LockBit, Royal, and Black Basta, are deliberately switching on remote encryption for their attacks “CryptoGuard: An Asymmetric Approach to the Ransomware Battle” report by Sophos. Through remote encryption attacks, also known as remote ransomware, adversaries leverage a compromised and often under-protected endpoint to encrypt data on other devices connected to the same network.
Remote ransomware
“Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one unprotected device to compromise the entire network. Attackers know this, so they hunt for that one ‘weak spot’—and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders, and, based on the alerts we’ve seen, the attack method is steadily increasing,” said Mark Loman, the vice president of threat research at Sophos, and the co-creator of CryptoGuard, the anti-ransomware technology of Sophos.
Traditional anti-ransomware protection methods on remote devices fail to detect remote ransomware because it involves encrypting files remotely.
CryptoGuard technology
Sophos CryptoGuard technology analyses file contents to detect encrypted data and ransomware activity in the device or network.
“By focusing on the files, we can change the power balance between the attackers and the defenders. We’re increasing the cost and complexity for the attackers to successfully encrypt data so that they will abandon their objectives. This is a part of our asymmetric defense approach strategy,” Loman says.