{"id":7116,"date":"2023-12-07T16:12:20","date_gmt":"2023-12-07T15:12:20","guid":{"rendered":"https:\/\/partnernews.sophos.com\/en-us\/?p=7116"},"modified":"2023-12-08T10:30:54","modified_gmt":"2023-12-08T10:30:54","slug":"remote-ransomware-protection-a-huge-sophos-endpoint-differentiator","status":"publish","type":"post","link":"https:\/\/partnernews.sophos.com\/es-es\/2023\/12\/products\/remote-ransomware-protection-a-huge-sophos-endpoint-differentiator\/","title":{"rendered":"Sophos Endpoint: Industry-leading Protection Against Remote Ransomware Attacks"},"content":{"rendered":"

Around 60% of human-operated ransomware attacks\u00a0now involve malicious remote encryption<\/a>. Read on to learn about this prevalent ransomware attack vector and Sophos\u2019 industry-leading protection capabilities.<\/p>\n

What is remote ransomware?<\/h2>\n

Remote ransomware, also known as malicious remote encryption, is when a compromised endpoint is used to encrypt data on other devices on the same network.<\/strong><\/p>\n

In human-led attacks, adversaries typically try to deploy ransomware directly to the machines they want to encrypt. If their initial attempt is blocked (for example, by security technologies on the target devices) they rarely give up, choosing instead to pivot to an alternative approach and try again, and again.<\/p>\n

Once attackers succeed in compromising a machine they can leverage the organization\u2019s domain architecture to encrypt data on managed domain-joined machines. All the malicious activity \u2013 ingress, payload execution, and encryption \u2013 occurs on the already-compromised machine, therefore bypassing modern security stacks. The only indication of compromise is the transmission of documents to and from other machines.<\/p>\n

Eighty percent of remote encryption compromises\u00a0originate from unmanaged devices on the network<\/a>, although some start on under protected machines that lack the defenses needed to stop attackers getting onto the device.<\/p>\n

Why is remote ransomware so prevalent?<\/h2>\n

A key factor driving the widespread use of this approach is its scalability: A single unmanaged or under-protected endpoint can expose an organization\u2019s entire estate to malicious remote encryption, even if all the other devices are running a next-gen endpoint security solution.<\/p>\n

To make matters worse, adversaries are not limited in their choice of ransomware variant for these attacks. A wide range of well-known ransomware families support remote malicious encryption, including Akira, BitPaymer, BlackCat, BlackMatter, Conti, Crytox, DarkSide, Dharma, LockBit, MedusaLocker, Phobos, Royal, Ryuk, and WannaCry.<\/p>\n

Furthermore, most endpoint security products are ineffective in this scenario because they focus on detecting malicious ransomware files and processes\u00a0on the protected endpoint<\/em>. However, with remote encryption attacks, the processes run on the compromised machine, leaving the endpoint protection blind to the malicious activity.<\/p>\n

Fortunately, Sophos Endpoint includes robust protection against malicious remote encryption, powered by our industry-leading CryptoGuard protection.<\/p>\n

Sophos CryptoGuard: Industry-leading, universal ransomware protection<\/h2>\n

Sophos Endpoint contains multiple layers of protection that defend organizations from ransomware, including CryptoGuard, our unique anti-ransomware technology that is included in all Sophos Endpoint subscriptions.<\/p>\n

Unlike other endpoint security solutions that solely look for malicious files and processes, CryptoGuard analyzes data files for signs of malicious encryption irrespective of where the processes are running. This approach makes it highly effective at stopping all forms of ransomware, including malicious remote encryption. If it detects malicious encryption, CryptoGuard automatically blocks the activity and rolls back files to their unencrypted states.<\/p>\n

CryptoGuard actively examines the content of all documents as files are read and written, using mathematical analysis to determine whether they have become encrypted. This universal approach is unique in the industry and enables Sophos Endpoint to stop ransomware attacks that other solutions miss, including remote attacks and never-before-seen ransomware variants.<\/p>\n

Detects malicious encryption by analyzing file content
\n<\/strong>Unlike other solutions that look at ransomware from an anti-malware perspective by focusing on detecting malicious code, CryptoGuard looks for mass rapid encryption of files by analyzing content using mathematical algorithms.<\/p>\n

Blocks both local and remote ransomware attacks
\n<\/strong>Because CryptoGuard focuses on the content of files, it can detect ransomware encryption attempts even when the malicious process is not running on the victim\u2019s device.<\/p>\n

Automatically rolls back malicious encryption
\n<\/strong>CryptoGuard creates temporary backups of modified files and automatically rolls back changes when it detects mass encryption. Sophos uses a proprietary approach, unlike other solutions that use Windows Volume Shadow Copy, which adversaries are known to circumvent. There are no limits to the size and type of file that can be recovered, minimizing the impact on business productivity.
\n<\/strong><\/p>\n

Automatically blocks remote devices
\n<\/strong>In a remote ransomware attack, CryptoGuard automatically blocks the IP address of the remote device attempting to encrypt files on the victim\u2019s machine.<\/p>\n

Protects the master boot record (MBR)
\n<\/strong>CryptoGuard also protects the device from ransomware that encrypts the master boot record (preventing startup) and from attacks that wipe the hard disk.<\/p>\n

CryptoGuard is one of the unique capabilities in Sophos Endpoint and is included with all Sophos Intercept X Advanced, Sophos XDR, and Sophos MDR subscriptions. What\u2019s more, the capability is enabled automatically by default, ensuring organizations enjoy full protection from both local and remote ransomware attacks straight away \u2013 no fine tuning or configuration required.<\/p>\n

Discover unprotected devices<\/h2>\n

A single unprotected endpoint can leave your customers’ organization vulnerable to a remote encryption attack. Deploying Sophos Endpoint provides robust universal ransomware protection from malicious encryption. But how can your customers identify if they have unprotected devices on their network in the first place?<\/p>\n

This is where\u00a0Sophos Network Detection and Response (NDR)<\/a>\u00a0can help. Sophos NDR monitors network traffic for suspicious flows and, in doing so, identifies unprotected devices and rogue assets in the environment.<\/p>\n

For the strongest protection against remote ransomware attacks, recommend to install Sophos Endpoint on all customer machines in the environment and deploy Sophos NDR to discover unprotected devices on their network.<\/strong><\/p>\n

A unique opportunity<\/h2>\n

Leverage this differentiated ransomware protection capability in Sophos Endpoint to drive new sales opportunities and renewals today. It is particularly helpful when defending against a move away from Sophos to Microsoft Defender: with the average cost to remediate a ransomware attack coming in at $1.82M, ask customers if they can afford to be exposed?<\/p>\n

Share the following new resources with your customers and take full advantage of this unique opportunity:<\/p>\n