Who is the Hacker?
Even respected organizations may no longer be completely trusted in the constantly changing arena of cyber threats. A dangerous ransom-as-a-service (RaaS) attack known as SophosEncrypt is currently active and poses as the reputable cybersecurity provider Sophos.
This malware was first identified by MalwareHunterTeam via Twitter, and Sophos has now confirmed its existence. At first, there were rumors that this might have been a Sophos red team exercise, in which a group of professionals tests a company’s security defenses against fictitious threats. However, it is now known that SophosEncrypt is not affiliated with Sophos in any way, other than using the brand name to increase the seriousness and urgency of the ransom demands.
What Sophos is Doing to its Victims
As a result of the finding, Sophos tweeted that their specialized endpoint security software, Sophos InterceptX, has been discovered to protect against certain malicious software samples.
Although popular strategies including phishing emails, fraudulent websites, pop-up advertising, and exploiting vulnerabilities in software are frequently used, the distribution strategy for this RaaS is still unknown. The hacking operation is now ongoing, and BleepingComputer has described the workings of the data encryptor. Before launching the attack, the encrypted requests a token that is unique to the intended victim and is validated online. Researchers have discovered a workaround for this, though, and it involves turning off network connections. After it is operational, the attacker has the choice to encrypt specific files or the whole device, and the encrypted files are marked with the suffix “.sophos.” The victim is then prompted to get in touch with the hackers for file decryption.
As would be expected, bitcoin or other forms of crypto are demanded and required as payment, which is far harder for authorities to track than traditional bank transfers. Additionally, the Windows desktop background is changed and at this point, the user is notified of the encryption and the computer will then display of the Sophos brand and logo.
The address related to the attackers has been linked to Cobalt Strike command-and-control activities and programmed efforts to infect internet-facing devices with crypto-mining software for more than a year, according to information gathered by Sophos on the attackers.
What To Do
The customary advice is to exercise caution and avoid accepting files from unidentified sources remains crucial for protecting oneself in the face of this growing ransomware menace. Even members of your network could unintentionally spread dangerous files masquerading as benign communication. Additionally, keep in mind that no trustworthy cybersecurity business would ever encrypt your documents and demand money to decrypt them. The key is to be vigilant; if something seems suspicious, it probably is. A preventative approach is needed to protect oneself from these threats.