As hackers come up with new ways to attack, not even trustworthy names can be taken at face value. This time, a ransom-as-a-service (RaaS) attack is being used to impersonate a cybersecurity vendor called Sophos.
The RaaS, referred to as SophosEncrypt, can take hold of your files — or even your whole PC — and requires payment to have them decrypted.
"### Encryption program – SOPHOS ###"
Sophos ransomware?
🤔@SophosXOps pic.twitter.com/OSHV0PHCs8— MalwareHunterTeam (@malwrhunterteam) July 17, 2023
Initially reported by MalwareHunterTeam on Twitter, the ransomware has now been acknowledged by Sophos. The initial thought was that this may have been a red team exercise by the cybersecurity firm, which is a form of testing where a team of experts tries to breach an organization’s security system to see how the defenses hold up against attacks. However, as it turns out, SophosEncrypt has nothing to do with Sophos, other than stealing its name, perhaps to add more gravity and urgency for people to pay up.
“We found this on VT (Virus Total) earlier and have been investigating. Our preliminary findings show Sophos InterceptX protects against these ransomware samples,” said Sophos in a tweet, referring to its proprietary endpoint protection tool.
It’s currently unclear how the RaaS spreads, but some of the most common methods include phishing emails, malicious websites or popup ads, and software vulnerabilities. BleepingComputer reports that the ransomware operation is currently active, and it goes into some detail on how the file encryptor operates.
The encryptor requires a token associated with the victim, and this token is later verified online before the attack can be carried out. However, researchers found that this can be bypassed by disabling network connections. Once the tool is operational, it gives the attacker the choice to encrypt certain files or even the entire device. The encrypted files then use the extension “.sophos.”
As you can see in the above screenshot, the victim is then asked to contact the attackers to decrypt their files. Unsurprisingly, the payment is made through cryptocurrency, which is a lot harder to track and pursue for the authorities than a simple bank transfer. The desktop wallpaper in Windows is also changed at this point, alerting the user that their files have been encrypted. It uses the Sophos name.
Sophos has been able to track down some information about the attackers. It said in its report, “The address has been associated for more than a year with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with crypto-mining software.”
What can you do to stay safe at a time when ransomware attacks are on the rise? The advice is the same as usual — be careful and do not accept any files from people you don’t know. Keep in mind that even people you’re friends with could get hacked and spread malicious files under the guise of sending you something. In addition, remember that no legit cybersecurity company would ever encrypt your files and ask you to pay for their recovery, so protect yourself — if something seems off, it probably is.
