Sophos experts are sounding the alarm — just one vulnerable device can destroy the data of the entire organization.
Security experts from Sophos recording a new trend in the actions of groups that distribute extortionate software.
Recent data indicates a massive shift by hackers to the use of so-called "remote data encryption" (Remote Encryption) in corporate networks. This method allows attackers to encrypt data on all devices on the network, using only one compromised device as an entry point.
Remote encryption, as the name suggests, occurs when a compromised endpoint is used to encrypt data on other devices on the same network. This is usually possible if you have shared local write access between all your organization's computers.
Malware is deployed only on the most vulnerable device, and absolutely all public data is encrypted on it. At the same time, all other computers on the network will not react to this process in any way, because the encrypted files do not contain any malicious code. Users will only discover after the fact that data access is no longer possible.
Mark Lohman, vice president of threat research at Sophos, highlights the severity of this threat: "Just one unprotected device on the network is enough to encrypt data on all the others." The obvious advantage of this approach is that it makes standard incident detection methods powerless.
Microsoft in October of this year reported that about 60% of ransomware attacks now involve remote data encryption techniques. Moreover, more than 80% of all compromises occur through unmanaged devices that simply have access to shared file storage.
Well — known ransomware families that use remote encryption include Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal. This method has been used for a long time: back in 2013, CryptoLocker attacked network resources in this way. However, a sharp spike in such attacks has been recorded in recent months.
In their report, Sophos experts also highlight the complex relationship between extortionate groups and the media. Criminals use the media not only to attract attention, but also to control the narrative, refuting, in their opinion, inaccurate reports.
They also publish frequently asked questions and press releases on their data leak sites, including direct quotes from operators and corrections for journalists mistakes. The use of catchy names and attractive graphics demonstrates the evolution and professionalization of cybercrime.
The RansomHouse group, for example, provides journalists with all relevant information on attacks on its Telegram PR channel, and even before its official publication. And groups like Conti and Pysa, for example, are known for applying organizational hierarchies, including top management, system administrators, developers, recruiters, HR, and legal departments. Some groups are even looking for English-language editors and speakers to cover attacks on cybercrime forums.
"Engaging with the media gives groups that distribute ransomware both tactical and strategic advantages. This allows them to put pressure on their victims and shape the narrative, increasing their fame and mythologizing themselves," Sophos notes.
Security experts from Sophos recording a new trend in the actions of groups that distribute extortionate software.
Recent data indicates a massive shift by hackers to the use of so-called "remote data encryption" (Remote Encryption) in corporate networks. This method allows attackers to encrypt data on all devices on the network, using only one compromised device as an entry point.
Remote encryption, as the name suggests, occurs when a compromised endpoint is used to encrypt data on other devices on the same network. This is usually possible if you have shared local write access between all your organization's computers.
Malware is deployed only on the most vulnerable device, and absolutely all public data is encrypted on it. At the same time, all other computers on the network will not react to this process in any way, because the encrypted files do not contain any malicious code. Users will only discover after the fact that data access is no longer possible.
Mark Lohman, vice president of threat research at Sophos, highlights the severity of this threat: "Just one unprotected device on the network is enough to encrypt data on all the others." The obvious advantage of this approach is that it makes standard incident detection methods powerless.
Microsoft in October of this year reported that about 60% of ransomware attacks now involve remote data encryption techniques. Moreover, more than 80% of all compromises occur through unmanaged devices that simply have access to shared file storage.
Well — known ransomware families that use remote encryption include Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal. This method has been used for a long time: back in 2013, CryptoLocker attacked network resources in this way. However, a sharp spike in such attacks has been recorded in recent months.
In their report, Sophos experts also highlight the complex relationship between extortionate groups and the media. Criminals use the media not only to attract attention, but also to control the narrative, refuting, in their opinion, inaccurate reports.
They also publish frequently asked questions and press releases on their data leak sites, including direct quotes from operators and corrections for journalists mistakes. The use of catchy names and attractive graphics demonstrates the evolution and professionalization of cybercrime.
The RansomHouse group, for example, provides journalists with all relevant information on attacks on its Telegram PR channel, and even before its official publication. And groups like Conti and Pysa, for example, are known for applying organizational hierarchies, including top management, system administrators, developers, recruiters, HR, and legal departments. Some groups are even looking for English-language editors and speakers to cover attacks on cybercrime forums.
"Engaging with the media gives groups that distribute ransomware both tactical and strategic advantages. This allows them to put pressure on their victims and shape the narrative, increasing their fame and mythologizing themselves," Sophos notes.
