This post is also available in: heעברית (Hebrew)

According to a new report, some of the most active and dangerous ransomware groups in the world- like Akira, ALPHV/BlackCat, Lockbit, Royal, and Black Basta- are switching their ransomware attack methods and are now using remote encryption.

IT security company Sophos released a report revealing how threat actors have changed their strategies in recent years, refining RaaS (ransomware-as-a-service) models and adopting newer sophisticated programming languages. They also seem to be launching attacks at times when they are likely to go undetected.

Interestingly, Sophos concludes that these threat actors have been seen increasingly using remote encryption ransomware, which involves “leveraging an organization’s domain architecture to encrypt data on managed domain-joined machines.”

According to Cybernews, during such attacks, threat actors exploit a compromised or unprotected endpoint to encrypt data on other devices connected to the same network. The reason this attack is especially dangerous is that organizations can have many different devices connected to a single network.

Vice president of threat research at Sophos and co-creator of Cryptoguard software Mark Loman has said that all it takes is one under-protected device to compromise the entire network. He further explained that since attackers are experienced and informed when it comes to exploiting systems, they know to look for vulnerabilities, and most companies have “at least one.”

Another reason these attacks are especially effective and problematic is that traditional anti-ransomware protection methods can’t always detect malicious files or activity.

Nevertheless, the Sophos Cryptoguard software co-created by Loman is designed to tackle such remote ransomware attacks, and as explained by the company- “remote detection is triggered when the ransomware is remote to the server.”

To conclude, the practice of remote ransomware is definitely rising and is posing a threat to organizations and companies worldwide, and the report released by Sophos aims to “inform defenders about this persistent attack method so they can properly protect devices.”