A new report shows that some of the most prolific ransomware groups, such as Akira, ALPHV/BlackCat, Lockbit, Royal, and Black Basta, are switching to remote encryption ransomware when carrying out attacks.
A report from Sophos has revealed how threat actors are changing their strategies. In recent years, threat actors have switched up their approach by refining ransomware-as-a-service (RaaS) models, adopting newer, sophisticated programming languages, and launching attacks at times when they are likely to go undetected.
Sophos concludes that these threat actors increasingly use remote encryption ransomware, which involves “leveraging an organization’s domain architecture to encrypt data on managed domain-joined machines.”
In these attacks, threat actors exploit a compromised or unprotected endpoint to encrypt data on other devices connected to the same network. This attack is particularly fatal as organizations can have a multitude of devices connected to a single network.
“All it takes is one underprotected device to compromise the entire network,” said Mark Loman, the vice president, threat research at Sophos, and co-creator of Cryptoguard.
As attackers are well-versed in the abhorrent art of exploiting systems, they know to look for vulnerabilities, and according to Loman, “most companies have at least one.”
These attacks are particularly troublesome as traditional anti-ransomware protection methods cannot feasibly detect malicious files or activity.
However, Sophos Cryptoguard, the software co-created by Loman, tackles remote ransomware attacks. According to Sophos, “remote detection is triggered when the ransomware is remote to the server.”
Remote ransomware is on the rise and poses a pertinent threat to organizations and companies worldwide, leaving many at risk of being exploited by threat actors. Sophos’ report aims to “inform defenders about this persistent attack method so they can properly protect devices.”
More from Cybernews:
Subscribe to our newsletter