Successful ransomware groups are increasingly switching to remote encryption, according to Sophos' latest CryptoGuard report. The problem: traditional anti-ransomware protection does not “see” the disaster coming and is ineffective. The type of attack has increased by 62 percent.
Sophos has published its new report “CryptoGuard: An Asymmetric Approach to the Ransomware Battle” with the evaluations of its CryptoGuard defense technology. The most successful and active ransomware groups such as Akira, ALPHV/ BlackCat, LockBit, Royal or Black Basta are consciously switching to remote encryption for their attacks. With this so-called “remote ransomware,” cybercriminals use a compromised and often poorly protected device to encrypt data on other devices connected to the same network.
Multi-level endpoint protection deters attackers
CryptoGuard anti-ransomware technology monitors for malicious file encryption and provides immediate protection plus a reset function, even if the ransomware itself does not appear on a protected host. This technology is the final line in Sophos' multi-layered endpoint protection. There has been a 2022 percent growth in remote attacks since 62.
Mark Loman, vice president of threat research at Sophos, said: “Companies today can have thousands of well-secured computers, but with remote ransomware, all it takes is one unprotected device to compromise the entire network. Attackers know this and are specifically looking for this one vulnerability - and most companies have at least one. “Remote encryption will remain a persistent problem and given the warnings, this attack method is growing.”
Traditional anti-ransomware measures do not detect remote activity
The problem with this remote encryption is that the traditional anti-ransomware protection measures running on the remote devices cannot detect these malicious files or their activities and therefore cannot protect against encryption or data loss. CryptoGuard technology uses a novel approach: it analyzes the contents of files to check whether any data has been encrypted. It detects ransomware activity on every device across the network - even if there is no malware on the device.
CryptoLocker is considered the first successful ransomware, used for remote encryption with asymmetric encryption (also known as public-key cryptography) in 2013. Since then, attackers have been able to escalate the use of ransomware. Reason: constant, pervasive security vulnerabilities in organizations worldwide and the emergence of cryptocurrencies.
Modern ransomware defense relies on asymmetric defense
“When we first saw CryptoLocker exploiting remote encryption ten years ago, we knew this tactic would be a defense challenge for years to come. Many solutions focus on detecting malicious binary programs or executing them. However, in the case of remote encryption, these steps occur on a different (unprotected) computer than the one whose files are being encrypted. The only way to stop this is to closely monitor and protect files.
That's why we developed CryptoGuard. This solution doesn't just look for ransomware, but it focuses on the primary targets - the files. It uses mathematical checking on documents to detect signs of tampering or encryption. Notably, this autonomous strategy deliberately does not rely on breach indicators, threat signatures, artificial intelligence, cloud lookups, or prior knowledge to be effective. By focusing on the files, we influence the balance of power between attack and defense. We increase the cost and complexity of successful data encryption for attackers so that they give up their goal. This is part of our asymmetric defense approach,” explains Loman.
Effective defense stops remote attacks plus partial data encryption
“Remote ransomware is a known problem for organizations and contributes to the longevity of ransomware in general. Since reading data over a network connection is slower than from local hard drive, we have seen attackers like LockBit or Akira strategically encrypt only part of a file. This principle strives for maximum effect in minimum time, and it also reduces the window for defenders to notice the attack and react. The Sophos approach to anti-ransomware technology stops both the remote attack and partial file encryption,” said Loman.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.