Ransomware attacks: via remote device into the network

Ransomware attacks: via remote device into the network - AI

Share post

Successful ransomware groups are increasingly switching to remote encryption, according to Sophos' latest CryptoGuard report. The problem: traditional anti-ransomware protection does not “see” the disaster coming and is ineffective. The type of attack has increased by 62 percent.

Sophos has published its new report “CryptoGuard: An Asymmetric Approach to the Ransomware Battle” with the evaluations of its CryptoGuard defense technology. The most successful and active ransomware groups such as Akira, ALPHV/ BlackCat, LockBit, Royal or Black Basta are consciously switching to remote encryption for their attacks. With this so-called “remote ransomware,” cybercriminals use a compromised and often poorly protected device to encrypt data on other devices connected to the same network.

Multi-level endpoint protection deters attackers

CryptoGuard anti-ransomware technology monitors for malicious file encryption and provides immediate protection plus a reset function, even if the ransomware itself does not appear on a protected host. This technology is the final line in Sophos' multi-layered endpoint protection. There has been a 2022 percent growth in remote attacks since 62.

Mark Loman, vice president of threat research at Sophos, said: “Companies today can have thousands of well-secured computers, but with remote ransomware, all it takes is one unprotected device to compromise the entire network. Attackers know this and are specifically looking for this one vulnerability - and most companies have at least one. “Remote encryption will remain a persistent problem and given the warnings, this attack method is growing.”

Traditional anti-ransomware measures do not detect remote activity

The problem with this remote encryption is that the traditional anti-ransomware protection measures running on the remote devices cannot detect these malicious files or their activities and therefore cannot protect against encryption or data loss. CryptoGuard technology uses a novel approach: it analyzes the contents of files to check whether any data has been encrypted. It detects ransomware activity on every device across the network - even if there is no malware on the device.

CryptoLocker is considered the first successful ransomware, used for remote encryption with asymmetric encryption (also known as public-key cryptography) in 2013. Since then, attackers have been able to escalate the use of ransomware. Reason: constant, pervasive security vulnerabilities in organizations worldwide and the emergence of cryptocurrencies.

Modern ransomware defense relies on asymmetric defense

“When we first saw CryptoLocker exploiting remote encryption ten years ago, we knew this tactic would be a defense challenge for years to come. Many solutions focus on detecting malicious binary programs or executing them. However, in the case of remote encryption, these steps occur on a different (unprotected) computer than the one whose files are being encrypted. The only way to stop this is to closely monitor and protect files.

That's why we developed CryptoGuard. This solution doesn't just look for ransomware, but it focuses on the primary targets - the files. It uses mathematical checking on documents to detect signs of tampering or encryption. Notably, this autonomous strategy deliberately does not rely on breach indicators, threat signatures, artificial intelligence, cloud lookups, or prior knowledge to be effective. By focusing on the files, we influence the balance of power between attack and defense. We increase the cost and complexity of successful data encryption for attackers so that they give up their goal. This is part of our asymmetric defense approach,” explains Loman.

Effective defense stops remote attacks plus partial data encryption

“Remote ransomware is a known problem for organizations and contributes to the longevity of ransomware in general. Since reading data over a network connection is slower than from local hard drive, we have seen attackers like LockBit or Akira strategically encrypt only part of a file. This principle strives for maximum effect in minimum time, and it also reduces the window for defenders to notice the attack and react. The Sophos approach to anti-ransomware technology stops both the remote attack and partial file encryption,” said Loman.

More at Sophos.com

 


About Sophos

More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.


 

Matching articles on the topic

SIEM solution with more automation

With the motto less routine, more automation, Kaspersky has expanded its SIEM solution with new features. Faster threat detection, more automation and ➡ Read more

Three quarters of ransomware victims pay ransom

An international survey of 900 IT and security managers shows that 83 percent of companies were the target of ransomware attacks last year ➡ Read more

Risks to SaaS data from cyberattacks

According to Statista, 70 percent of companies with up to 500 employees use SaaS or cloud computing-based application software. ➡ Read more

Ransomware: Above-average number of attacks in the education sector

The number of compromised backups and data encryption rates due to ransomware in the education sector have increased compared to the previous year. The recovery costs after ➡ Read more

Narrative attacks: false facts, real consequences

The danger is diffuse and difficult to grasp: While companies increasingly have to find their way in the complex landscape of cyber attacks, ➡ Read more

Secure digital identity ensures digital trust

Through a decentralized public key infrastructure (PKI), companies use different procedures. There is no central tracking of certifications. ➡ Read more

TotalAI Platform: Vulnerability Assessment of AI Workloads

The new TotalAI solution enables holistic detection and vulnerability assessment of AI workloads to detect data leaks, injection issues and model theft. ➡ Read more

Microsoft 365 Backup Storage optimizes data security

Another cybersecurity provider is integrating Microsoft 365 Backup Storage into its cloud platform. This enables cost-effective monitoring and management of backups and ➡ Read more