Ransomware attacks: via remote device into the network

Ransomware attacks: via remote device into the network - AI

Share post

Successful ransomware groups are increasingly switching to remote encryption, according to Sophos' latest CryptoGuard report. The problem: traditional anti-ransomware protection does not “see” the disaster coming and is ineffective. The type of attack has increased by 62 percent.

Sophos has published its new report “CryptoGuard: An Asymmetric Approach to the Ransomware Battle” with the evaluations of its CryptoGuard defense technology. The most successful and active ransomware groups such as Akira, ALPHV/ BlackCat, LockBit, Royal or Black Basta are consciously switching to remote encryption for their attacks. With this so-called “remote ransomware,” cybercriminals use a compromised and often poorly protected device to encrypt data on other devices connected to the same network.

Multi-level endpoint protection deters attackers

CryptoGuard anti-ransomware technology monitors for malicious file encryption and provides immediate protection plus a reset function, even if the ransomware itself does not appear on a protected host. This technology is the final line in Sophos' multi-layered endpoint protection. There has been a 2022 percent growth in remote attacks since 62.

Mark Loman, vice president of threat research at Sophos, said: “Companies today can have thousands of well-secured computers, but with remote ransomware, all it takes is one unprotected device to compromise the entire network. Attackers know this and are specifically looking for this one vulnerability - and most companies have at least one. “Remote encryption will remain a persistent problem and given the warnings, this attack method is growing.”

Traditional anti-ransomware measures do not detect remote activity

The problem with this remote encryption is that the traditional anti-ransomware protection measures running on the remote devices cannot detect these malicious files or their activities and therefore cannot protect against encryption or data loss. CryptoGuard technology uses a novel approach: it analyzes the contents of files to check whether any data has been encrypted. It detects ransomware activity on every device across the network - even if there is no malware on the device.

CryptoLocker is considered the first successful ransomware, used for remote encryption with asymmetric encryption (also known as public-key cryptography) in 2013. Since then, attackers have been able to escalate the use of ransomware. Reason: constant, pervasive security vulnerabilities in organizations worldwide and the emergence of cryptocurrencies.

Modern ransomware defense relies on asymmetric defense

“When we first saw CryptoLocker exploiting remote encryption ten years ago, we knew this tactic would be a defense challenge for years to come. Many solutions focus on detecting malicious binary programs or executing them. However, in the case of remote encryption, these steps occur on a different (unprotected) computer than the one whose files are being encrypted. The only way to stop this is to closely monitor and protect files.

That's why we developed CryptoGuard. This solution doesn't just look for ransomware, but it focuses on the primary targets - the files. It uses mathematical checking on documents to detect signs of tampering or encryption. Notably, this autonomous strategy deliberately does not rely on breach indicators, threat signatures, artificial intelligence, cloud lookups, or prior knowledge to be effective. By focusing on the files, we influence the balance of power between attack and defense. We increase the cost and complexity of successful data encryption for attackers so that they give up their goal. This is part of our asymmetric defense approach,” explains Loman.

Effective defense stops remote attacks plus partial data encryption

“Remote ransomware is a known problem for organizations and contributes to the longevity of ransomware in general. Since reading data over a network connection is slower than from local hard drive, we have seen attackers like LockBit or Akira strategically encrypt only part of a file. This principle strives for maximum effect in minimum time, and it also reduces the window for defenders to notice the attack and react. The Sophos approach to anti-ransomware technology stops both the remote attack and partial file encryption,” said Loman.

More at Sophos.com


About Sophos

More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.


Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more