In a concerning development, ransomware groups have been increasingly resorting to remote encryption attacks, marking a significant shift in their tactics. This evolving trend among financially motivated threat actors poses a substantial threat to network security, as a single vulnerable device can lead to catastrophic consequences for organizations.
Mark Loman, the Vice President of Threat Research at Sophos, emphasizes the gravity of this issue, stating, “Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network. Attackers know this, so they hunt for that one ‘weak spot’ – and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders.”
Remote encryption, also known as remote ransomware, is an attack method wherein a compromised endpoint is used to encrypt data on other devices within the same network.
Microsoft’s October 2023 report revealed that approximately 60% of ransomware attacks now involve malicious remote encryption as a means to reduce their digital footprint. Shockingly, over 80% of these compromises originate from unmanaged devices.
Several notorious ransomware families, such as Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal, have adopted remote encryption techniques. This approach offers a significant advantage to threat actors as it renders process-based remediation measures ineffective, and managed machines are incapable of detecting the malicious activity, given that it resides solely on unmanaged devices.
This surge in remote encryption attacks is occurring in tandem with broader shifts in the ransomware landscape. Threat actors are diversifying their tactics, using atypical programming languages, targeting platforms beyond Windows systems, auctioning stolen data, and launching attacks during non-standard business hours and weekends to evade detection and incident response efforts.
Sophos, in a recent report, highlighted the intricate relationship between ransomware groups and the media, which they describe as “symbiotic – but often uneasy.” Ransomware gangs aim to attract attention, control the narrative, and correct what they perceive as inaccurate media coverage. They do this by publishing FAQs and press releases on their data leak sites, incorporating direct quotes from their operators, and rectifying mistakes made by journalists. This tactic underscores the increasing professionalization of cybercrime.
Some ransomware groups, like Conti and Pysa, have adopted organizational hierarchies resembling legitimate businesses, comprising senior executives, system administrators, developers, recruiters, HR, and legal teams. There is even evidence to suggest that these groups have advertised opportunities for English writers and speakers on criminal forums.
Media engagement provides ransomware groups with tactical and strategic advantages, allowing them to apply pressure on victims, shape the narrative to their advantage, inflate their notoriety, and create a mythology around themselves.
As the prevalence of remote encryption attacks continues to rise, organizations must remain vigilant and adopt comprehensive security measures to protect their networks and sensitive data from the growing threat posed by ransomware groups employing these tactics.
