Ransomware gangs increasingly turning to remote encryption for attacks: Report

A number of notorious ransomware groups are deliberately activating remote encryptions for their cyber-attacks, infiltrating deeper into companies and crippling their operations, according to a report released on Tuesday by cyber security firm Sophos, which has observed a 62% year-over-year increase in deliberate remote encryption attacks since 2022.  

In remote encryption attacks, also known as remote ransomware, attackers exploit a compromised and often poorly protected endpoint to encrypt data on other devices connected to the same network. The report highlights that several prolific and active ransomware groups, including Akira, BlackCat, LockBit, Royal, and Black Basta, among others, are intentionally using remote encryption in their attacks. 

The use of remote encryption in ransomware attacks has been steadily increasing over the past decade. This rise can be attributed, in part, to ongoing security vulnerabilities within organisations worldwide and the widespread use of cryptocurrency. Attackers have realised that compromising a single poorly protected device on a network can result in the encryption of an entire network's data. 

"Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one poorly protected device to compromise the entire network," said Mark Loman, Vice President of Threat Research at Sophos and co-creator of CryptoGuard anti-ransomware technology.  

"Attackers are aware of this, so they search for that one 'weak spot'—and most companies have at least one. Remote encryption will continue to be a persistent problem for defenders, and based on the alerts we've seen, this attack method is steadily increasing," Loman added. 

Remote ransomware presents a significant challenge to organisations and contributes to the endurance of ransomware as a whole. In October 2023, Microsoft revealed that around 60% of ransomware attacks now involve malicious remote encryption in an effort to minimise their footprint, with more than 80% of all compromises originating from unmanaged devices. 

A big advantage to this approach is that it renders process-based remediation measures ineffective and the managed machines cannot detect the malicious activity since it is only present in an unmanaged device. 

The development comes amid broader shifts in the ransomware landscape, with the threat actors adopting atypical programming languages, targeting beyond Windows systems, auctioning stolen data, and launching attacks after business hours and at weekends to thwart detection and incident response efforts. 

CISOs are strongly advised to be aware of this persistent attack method and take appropriate measures to protect their devices and data, believe experts, as Sophos recommends implementing comprehensive cybersecurity solutions that prioritise file protection to counter the growing threat of remote encryption in ransomware attacks.