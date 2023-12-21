Ransomware groups have taken their attacks to the next level increasingly utilizing remote encryption tactics. This evolution in their strategies aims to ensure the success of their campaigns, as they target underprotected devices within company networks that can compromise the entire system. Mark Loman, the VP of Threat Research at Sophos, warns that remote encryption will continue to pose a perennial challenge for defenders, given the potential for just one vulnerable device to grant hackers access to the entire network.

Remote encryption, also known as remote ransomware, occurs when a compromised endpoint is used to encrypt data on other devices within the same network. Microsoft disclosed in October 2023 that approximately 60% of ransomware attacks now involve malicious remote encryption. A startling 80% of all compromises stem from unmanaged devices, emphasizing the significance of this tactic in minimizing hackers’ footprint.

Ransomware families such as Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal have been known to support remote encryption for some time. CryptoLocker, for instance, began targeting network shares as far back as 2013. The advantage of this approach lies in rendering process-based remediation measures ineffective, as managed machines cannot detect activity present only in an unmanaged device.

These developments occur alongside other shifts in the ransomware landscape. Threat actors are adopting atypical programming languages and targeting systems beyond Windows. They now auction off stolen data and strategically launch attacks after business hours and on weekends to evade detection and incident response efforts.

Sophos has recently observed the intricate relationship between ransomware gangs and the media. These groups seek to control the narrative while disputing what they consider to be inaccurate coverage. They engage with journalists through publishing FAQs, press releases, catchy names, and slick graphics on their data leak sites. By doing so, they perpetuate their notoriety and further professionalize cybercrime.

While some ransomware groups operate with a hierarchical structure, including senior executives, system admins, and HR and legal teams, there is evidence to suggest that they are also hiring English writers and speakers. Media engagement provides tactical and strategic advantages to these groups, allowing them to apply pressure to victims and shape public perception.

As ransomware attacks continue to evolve, it is crucial for organizations to enhance their cybersecurity measures and remain vigilant against emerging threats.

Follow us on Twitter and LinkedIn for more exclusive content.