Sophos CryptoGuard, the anti-ransomware technology acquired by the cybersecurity solutions provider in 2015, has detected a 62% year-over-year increase in intentional remote encryption attacks, also known as remote ransomware, since 2022.
The latest report from Sophos highlights the deliberate shift of the most active ransomware groups, such as Akira, ALPHV/BlackCat, LockBit, Royal, and Black Basta, toward using remote encryption in their attacks. In remote ransomware, cybercriminals exploit compromised, often underprotected endpoints to encrypt data on other devices connected to the same network.
“Attackers are aware that among the companies’ complex network, there will always be one underprotected device that can compromise the entire system,” explained Mark Loman, vice president of Threat Research at Sophos, and the co-creator of CryptoGuard. “They hunt for that one ‘weak spot’.”
Sophos expects more AI-based cyber attacks
Sophos: Ransomware is crippling retail organizations
Loman added that remote encryption is becoming an enduring challenge for defenders and, based on the escalating alerts observed, this attack method is steadily increasing.
CryptoGuard
CryptoGuard actively monitors malicious file encryption and provides immediate protection and rollback capabilities, even when the ransomware itself doesn’t appear on a protected host. This unique anti-ransomware technology serves as a final layer of defense within Sophos’ comprehensive endpoint protection, activating only when triggered by an adversary later in the attack chain.
Sophos emphasized that traditional anti-ransomware protection might no longer be effective against remote ransomware attacks due to their use of remote encryption, which is designed to evade detection by keeping malicious files and activities invisible.
CryptoGuard is specifically engineered to counter remote ransomware by offering enhanced visibility and the ability to analyze data across any networked device.
“CryptoGuard does not hunt for ransomware,” Loman said. “Instead, it zeroes in on the primary targets, which are the files. It applies mathematical scrutiny to documents, detecting signs of manipulation and encryption. By focusing on the files, we can change the power balance between the attackers and the defenders. We’re increasing the cost and complexity for the attackers to successfully encrypt data so that they will abandon their objectives. This is a part of our asymmetric defense approach strategy.”