Major ransomware groups are increasingly using remote encryption in their attacks. Also called remote ransomware, this form of cybercrime has increased 62 per cent year-on-year
This is according to data from Sophos. The groups Akira, ALPHV/BlackCat, LockBit, Royal and Black Basta are now using remote encryption more. In doing so, they abuse a compromised and often insufficiently protected endpoint. Through that endpoint, the ransomware technique encrypts data on other devices on the same network. Initial access can be via an endpoint such as a PC, but also, for example, via a server or smartphone.
Looking for the one weak point
Typically, hacker groups try to install ransomware directly on machines they want to encrypt. However, if such a first attempt is blocked, they do not give up immediately. They look for new methods to get in. When hackers successfully attack a company’s endpoint, they have found their entry point. All these activities – getting in, executing the payload and encryption – manage to bypass the security mechanisms. It may be possible to detect suspicious behaviour, such as moving data between endpoints.
Sophos sees significant differences between managed and unmanaged devices. For example, four out of five remote encryption cases would start at unmanaged devices on an enterprise network. Some even start at endpoints with too few security mechanisms in place. These devices do not have enough protection to thwart an attack.
For hackers, remote ransomware is very interesting because of its scalability. One unmanaged or inadequately secured endpoint can be the entry point to infest a company’s entire IT infrastructure with remote encryption. Even if all other devices use high-end security tools, one weak endpoint is a significant risk factor.
Rise of remote ransomware
Sophos now notes significant year-over-year growth in remote ransomware. The increase is 62 per cent. Sophos bases this figure on activity collected by its anti-ransomware CryptoGuard. CryptoGuard monitors malicious encryption of files.
Previously, however, the technique was much less popular. CryptoLocker was the first known ransomware family to use remote encryption in 2013. “Since then, adversaries have been able to escalate the use of ransomware, due to ubiquitous, ongoing security gaps at organizations worldwide and the advent of cryptocurrency,” Sophos describes. “Given that reading data over a network connection is slower than from a local disk, we have seen attackers, like LockBit and Akira, strategically encrypt only a fraction of each file. This approach aims to maximize impact in minimal time, further reducing the window for defenders to notice the attack and respond.”
Tip: Veeam 23H2 update adds malware detection and Sophos partnership