Remote encryption: complex ransomware gaining ground in the world of cybercrime
The expression 'you can't be too careful' has never made so much sense in the cybersecurity market. As if existing and constantly updated attack techniques weren't keeping experts and defenders busy enough, over the past year we've seen the rise of a ransomware method that, since 2022, has seen a 62% annual increase: remote encryption.
This data comes from Sophos, a company I lead in Brazil, and comes from the study CryptoGuard: An Asymmetric Approach to the Ransomware Battle, conducted by the company.
Remote ransomware has greater scalability and tends to impact multiple organizations at once.
The name of this tactic is suggestive, but just to get us all on the same page: remote ransomware is a complex type of attack that takes advantage of vulnerable endpoints to encrypt data on the victim's network. And an interesting point is that, even if companies have thousands of computers connected to the network, it only takes one device to be unprotected to compromise it entirely.
Precisely for this reason, attackers target this 'weak point' – and truth be told, most companies have at least one.
The remote ransomware process is like a domino effect: once the attacker gains control of the victim's endpoint, they can use that device as a means of encrypting other interfaces on the same network or domain.
The entire attack process, from penetration to payload download and encryption, takes place on the compromised endpoint, and the traces left are very few, almost unidentifiable – the only clue that may draw attention is the sending of files to or from the compromised endpoint.
Cybercriminals have given preference to these remote ransomware attacks precisely because of the scalability they allow – which, at the same time, makes them even more dangerous for organizations, as a single compromised endpoint can put the entire company network at risk – regardless if the other devices have advanced security solutions.
Furthermore, as this type of attack involves remote encryption, traditional anti-ransomware protection methods on remote devices do not detect malicious activities and, consequently, are unable to protect files and prevent possible data loss.
While there is a trend that remote encryption will continue to be an ongoing issue for organizations, all is not lost. There are measures that can and should be adopted to protect yourself from possible threats, the main one being relying on tools that can identify these tactics before the damage is even done. Products of this type are not programmed to look for ransomware, they focus on files, examining documents and detecting signs of manipulation and encryption.
By focusing on files, attackers' power decreases and the cost and complexity for criminals to continue their mission to encrypt data increases, so that they abandon their plans midway. Another positive point of these solutions is that the strategy does not depend on breach indicators, threat pattern recognition codes, artificial intelligence, cloud searches or prior knowledge to be effective.
One more recommendation I can give to companies to avoid this type of attack is to know in depth and implement modern defense solutions for endpoints on all devices used by employees within the network, as well as network detection and response services to monitor the traffic, identify unprotected devices, and detect unauthorized assets in the environment. Still within this tip, an essential aspect is the education of all employees about the importance of these protections. By promoting everyone's awareness, companies can avoid major losses.
Finally, you may also want to install a layered security program, with system backups, data, incident detection and response capabilities, and attack surface management. It is still valid to have strong authentication, including a Zero Trust framework and network segmentation.
We live in a period full of challenges when it comes to cybersecurity – both in the corporate world and for end consumers. However, although scammers and attacker families are constantly developing, we, combatants, we are also increasingly equipped with knowledge and tools that allow us to detect and intercept them. It is a constant battle, from which we will never give up and we will never stop informing society about every new development.