Skip to main content

Hackers are pretending to be cybersecurity firm to lock your entire PC

As hackers come up with new ways to attack, not even trustworthy names can be taken at face value. This time, a ransom-as-a-service (RaaS) attack is being used to impersonate a cybersecurity vendor called Sophos.

The RaaS, referred to as SophosEncrypt, can take hold of your files — or even your whole PC — and requires payment to have them decrypted.

Recommended Videos

"### Encryption program – SOPHOS ###"
Sophos ransomware?
🤔@SophosXOps pic.twitter.com/OSHV0PHCs8

— MalwareHunterTeam (@malwrhunterteam) July 17, 2023

Please enable Javascript to view this content

Initially reported by MalwareHunterTeam on Twitter, the ransomware has now been acknowledged by Sophos. The initial thought was that this may have been a red team exercise by the cybersecurity firm, which is a form of testing where a team of experts tries to breach an organization’s security system to see how the defenses hold up against attacks. However, as it turns out, SophosEncrypt has nothing to do with Sophos, other than stealing its name, perhaps to add more gravity and urgency for people to pay up.

“We found this on VT (Virus Total) earlier and have been investigating. Our preliminary findings show Sophos InterceptX protects against these ransomware samples,” said Sophos in a tweet, referring to its proprietary endpoint protection tool.

It’s currently unclear how the RaaS spreads, but some of the most common methods include phishing emails, malicious websites or popup ads, and software vulnerabilities. BleepingComputer reports that the ransomware operation is currently active, and it goes into some detail on how the file encryptor operates.

The encryptor requires a token associated with the victim, and this token is later verified online before the attack can be carried out. However, researchers found that this can be bypassed by disabling network connections. Once the tool is operational, it gives the attacker the choice to encrypt certain files or even the entire device. The encrypted files then use the extension “.sophos.”

Ransom note left by SophosEncrypt.
BleepingComputer

As you can see in the above screenshot, the victim is then asked to contact the attackers to decrypt their files. Unsurprisingly, the payment is made through cryptocurrency, which is a lot harder to track and pursue for the authorities than a simple bank transfer. The desktop wallpaper in Windows is also changed at this point, alerting the user that their files have been encrypted. It uses the Sophos name.

Sophos has been able to track down some information about the attackers. It said in its report, “The address has been associated for more than a year with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with crypto-mining software.”

What can you do to stay safe at a time when ransomware attacks are on the rise? The advice is the same as usual — be careful and do not accept any files from people you don’t know. Keep in mind that even people you’re friends with could get hacked and spread malicious files under the guise of sending you something. In addition, remember that no legit cybersecurity company would ever encrypt your files and ask you to pay for their recovery, so protect yourself — if something seems off, it probably is.

Monica J. White
Monica is a computing writer at Digital Trends, focusing on PC hardware. Since joining the team in 2021, Monica has written…
This major Apple bug could let hackers steal your photos and wipe your device
A physical lock placed on a keyboard to represent a locked keyboard.

Apple’s macOS and iOS are often considered to be more secure than their rivals, but that doesn’t make them invulnerable. One security team recently proved that by showing how hackers could exploit Apple’s systems to access your messages, location data, and photos -- and even wipe your device entirely.

The discoveries were published on the blog of security research firm Trellix, and will be of major concern to iOS and macOS users alike, since the vulnerabilities can be exploited on both operating systems. Trellix explains that Apple patched the exploits in macOS 13.2 and iOS 16.3, which were released in January 2023, so you should update your devices as soon as you can.

Read more
AMD Ryzen Master has a bug that can let someone take full control of your PC
A hand holding AMD's Ryzen 9 7950X3D processor.

AMD has just revealed that it spotted a new vulnerability in its Ryzen Master software. The bug sounds pretty dangerous -- it could potentially allow an attacker to take full control of your PC.

Here's everything we know about the vulnerability and the steps you need to take to secure your computer.

Read more
Hackers used 30,000 computers for record-breaking DDoS attack
An illustration of a grid of devices with one in red, infected device highlighted.

Hackers launched a record-breaking distributed denial of service (DDoS) attack over the weekend, employing a network of botnets to make requests from over 30,000 IP addresses.

While that isn't a big network of computers, the onslaught was able to exceed 71 million requests per second (rps), surpassing the previous record of 46 million rps set in June 2022 by 35%. This is what's known as a volumetric attack that consumes the target website's bandwidth by sending large amounts of data from multiple sources at once.

Read more