A concerning trend has emerged among cybercriminals, as ransomware operators are increasingly employing remote encryption techniques in their attacks. This shift in tactics has been observed researchers at Sophos, who have identified several high-profile threat actors adopting this method. Notable names include Akira, ALPHV/BlackCat, LockBit, Royal, and Black Basta, all of whom have been particularly active in 2023, with a strong presence in Australia.

The danger of remote encryption lies in its ability to encrypt files across a network using only one vulnerable endpoint. Sophos’ own CryptoGuard technology, acquired in 2015, has recorded a 62% year-on-year increase in such attacks since 2022. Significantly, due to the remote nature of the attack, it becomes challenging for anti-ransomware software to identify and mitigate the threat in real-time.

Mark Loman, Vice President of threat research at Sophos, acknowledged the severity of the situation, stating, “Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one under-protected device to compromise the entire network.” This exploitation of a “weak spot” is precisely what attackers seek, and unfortunately, most organizations tend to have at least one. As a result, remote encryption continues to be an ongoing issue for defenders, with an observable upward trajectory in the frequency of attacks.

Remote ransomware poses a significant problem for businesses and contributes to the sustainability of ransomware as a whole. Sophos has detected a strategy employed threat actors such as LockBit and Akira, who deliberately encrypt only a fraction of each file to maximize impact swiftly. By doing so, they decrease the window of opportunity for defenders to detect and respond to the attack. However, Sophos has taken a proactive stance against this persistent attack method, developing anti-ransomware technology capable of countering both remote attacks and those that encrypt as little as three percent of a file.

With the increasing prevalence of remote encryption in ransomware attacks, defenders must remain vigilant and ensure robust protection for their devices and networks. Awareness of this evolving threat is crucial in adopting appropriate measures to safeguard against the potentially devastating consequences of a ransomware attack.