Around 60% of human-operated ransomware attacks now involve malicious remote encryption. Read on to learn about this prevalent ransomware attack vector and Sophos’ industry-leading protection capabilities.
What is remote ransomware?
Remote ransomware, also known as malicious remote encryption, is when a compromised endpoint is used to encrypt data on other devices on the same network.
In human-led attacks, adversaries typically try to deploy ransomware directly to the machines they want to encrypt. If their initial attempt is blocked (for example, by security technologies on the target devices) they rarely give up, choosing instead to pivot to an alternative approach and try again, and again.
Once attackers succeed in compromising a machine they can leverage the organization’s domain architecture to encrypt data on managed domain-joined machines. All the malicious activity – ingress, payload execution, and encryption – occurs on the already-compromised machine, therefore bypassing modern security stacks. The only indication of compromise is the transmission of documents to and from other machines.
Eighty percent of remote encryption compromises originate from unmanaged devices on the network, although some start on under protected machines that lack the defenses needed to stop attackers getting onto the device.
Why is remote ransomware so prevalent?
A key factor driving the widespread use of this approach is its scalability: A single unmanaged or under-protected endpoint can expose an organization’s entire estate to malicious remote encryption, even if all the other devices are running a next-gen endpoint security solution.
To make matters worse, adversaries are not limited in their choice of ransomware variant for these attacks. A wide range of well-known ransomware families support remote malicious encryption, including Akira, BitPaymer, BlackCat, BlackMatter, Conti, Crytox, DarkSide, Dharma, LockBit, MedusaLocker, Phobos, Royal, Ryuk, and WannaCry.
Furthermore, most endpoint security products are ineffective in this scenario because they focus on detecting malicious ransomware files and processes on the protected endpoint. However, with remote encryption attacks, the processes run on the compromised machine, leaving the endpoint protection blind to the malicious activity.
Fortunately, Sophos Endpoint includes robust protection against malicious remote encryption, powered by our industry-leading CryptoGuard protection.
Sophos CryptoGuard: Industry-leading, universal ransomware protection
Sophos Endpoint contains multiple layers of protection that defend organizations from ransomware, including CryptoGuard, our unique anti-ransomware technology that is included in all Sophos Endpoint subscriptions.
Unlike other endpoint security solutions that solely look for malicious files and processes, CryptoGuard analyzes data files for signs of malicious encryption irrespective of where the processes are running. This approach makes it highly effective at stopping all forms of ransomware, including malicious remote encryption. If it detects malicious encryption, CryptoGuard automatically blocks the activity and rolls back files to their unencrypted states.
CryptoGuard actively examines the content of all documents as files are read and written, using mathematical analysis to determine whether they have become encrypted. This universal approach is unique in the industry and enables Sophos Endpoint to stop ransomware attacks that other solutions miss, including remote attacks and never-before-seen ransomware variants.
Detects malicious encryption by analyzing file content
Unlike other solutions that look at ransomware from an anti-malware perspective by focusing on detecting malicious code, CryptoGuard looks for mass rapid encryption of files by analyzing content using mathematical algorithms.
Blocks both local and remote ransomware attacks
Because CryptoGuard focuses on the content of files, it can detect ransomware encryption attempts even when the malicious process is not running on the victim’s device.
Automatically rolls back malicious encryption
CryptoGuard creates temporary backups of modified files and automatically rolls back changes when it detects mass encryption. Sophos uses a proprietary approach, unlike other solutions that use Windows Volume Shadow Copy, which adversaries are known to circumvent. There are no limits to the size and type of file that can be recovered, minimizing the impact on business productivity.
Automatically blocks remote devices
In a remote ransomware attack, CryptoGuard automatically blocks the IP address of the remote device attempting to encrypt files on the victim’s machine.
Protects the master boot record (MBR)
CryptoGuard also protects the device from ransomware that encrypts the master boot record (preventing startup) and from attacks that wipe the hard disk.
CryptoGuard is one of the unique capabilities in Sophos Endpoint and is included with all Sophos Intercept X Advanced, Sophos XDR, and Sophos MDR subscriptions. What’s more, the capability is enabled automatically by default, ensuring organizations enjoy full protection from both local and remote ransomware attacks straight away – no fine tuning or configuration required.
Discover unprotected devices
A single unprotected endpoint can leave your customers’ organization vulnerable to a remote encryption attack. Deploying Sophos Endpoint provides robust universal ransomware protection from malicious encryption. But how can your customers identify if they have unprotected devices on their network in the first place?
This is where Sophos Network Detection and Response (NDR) can help. Sophos NDR monitors network traffic for suspicious flows and, in doing so, identifies unprotected devices and rogue assets in the environment.
For the strongest protection against remote ransomware attacks, recommend to install Sophos Endpoint on all customer machines in the environment and deploy Sophos NDR to discover unprotected devices on their network.
A unique opportunity
Leverage this differentiated ransomware protection capability in Sophos Endpoint to drive new sales opportunities and renewals today. It is particularly helpful when defending against a move away from Sophos to Microsoft Defender: with the average cost to remediate a ransomware attack coming in at $1.82M, ask customers if they can afford to be exposed?
Share the following new resources with your customers and take full advantage of this unique opportunity:
- Sophos News article – explains what remote ransomware is, why most organizations are exposed to it, and how Sophos Endpoint stops it.
- 2-minute promo video – great teaser for social media.
- Expert explainer video – Peter Mackenzie (Director, Incident Response) explains remote ransomware.
We also offer the following assets for download from the partner portal:
- Sophos Remote Ransomware Guide – Explains what remote ransomware is, why most organizations are exposed to it, and how Sophos Endpoint stops it.
- Enablement video – Explains the sales opportunity
- PowerPoint slides – Add these new slides to your own presentations.
- Marketing Emails– Designed to promote the whitepaper and webinar.
Plus, there’s an NDR opportunity too!
80% of remote ransomware attack compromises originate on an unmanaged device. As described above, use this opportunity to demonstrate the importance of seeing what’s on your customers’ network and introduce Sophos NDR – now available for both Sophos MDR and Sophos XDR.