The latest report from Cybersecurity company, Sophos, has revealed that some of the most prolific and active ransomware groups, including Akira, ALPHV/BlackCat, LockBit, Royal, Black Basta, are now switching to remote encryption to attack organizations across the globe.
In the report titled: “CryptoGuard: An Asymmetric Approach to the Ransomware Battle,” Sophos explained that in remote encryption attacks, also known as remote ransomware, adversaries leverage a compromised and often under-protected endpoint to encrypt data on other devices connected to the same network.
The company noted that these attacks are particularly troublesome as traditional anti-ransomware protection methods cannot feasibly detect malicious files or activity, thus failing to protect them from unauthorized encryption and potential data loss.
Exploring the weak spot
Speaking on the findings by the company, the Vice President of Threat Research at Sophos, and the co-creator of CryptoGuard, Mark Loman, said:
- “Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one under-protected device to compromise the entire network. Attackers know this, so they hunt for that one ‘weak spot’ and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders, and based, on the alerts we’ve seen, the attack method is steadily increasing,”
In 2013, CryptoLocker was the first prolific ransomware to utilize remote encryption with asymmetric encryption, also known as public-key cryptography. Since then, adversaries have been able to escalate the use of ransomware, due to ubiquitous, ongoing security gaps at organizations worldwide and the advent of cryptocurrency.
- “When we first noticed CryptoLocker taking advantage of remote encryption ten years ago, we foresaw that this tactic was going to become a challenge for defenders. Other solutions focus on detecting malicious binaries or execution. In the case of remote encryption, the malware and execution reside on a different computer (unprotected) than the one having the files encrypted. The only way to stop it is by watching the files and protecting them. That’s why we innovated CryptoGuard,” said Loman.
Loss to ransomware attacks rising
Data from cryptocurrency trading firm Chainalysis showed that ransomware victims have paid ransomware groups $449.1 million in the first six months of this year. Throughout 2022, that number, the amount paid was less than $500 million.
If this year’s pace of payments continues, according to the company’s data, the total figure for 2023 could hit $898.6 million.
This would make 2023 the second biggest year for ransomware revenue after 2021, in which Chainalysis calculates that attackers extorted $939.9 million from victims.
However, Sophos believes that organizations can leverage CryptoGuard to strengthen their defence against ransomware attacks. It added that the technology does not hunt for ransomware; instead, it zeroes in on the primary targets of the files.
