SophosEncrypt Ransomware Fools Security Researchers
The ransomware-as-a-service offering was first assumed to be a red-team exercise before being detected for true malicious activity.
The SophosEncrypt ransomware-as-a-service (RaaS) threat has emerged, after flying under the radar by impersonating cybersecurity vendor Sophos.
The incident was discovered by MalwareHunterTeam (@malwrhunterteam), which posted a series of four images on Twitter with the caption "'### Encryption program -SOPHOS ###' Sophos ransomware?" In response, Sophos (@SophosXOps) tweeted back: "Thanks @malwrhunterteam for the heads up, we found this on [VirusTotal] VT earlier and have been investigating."
Because of the operators using the vendor's name and disguising the malware's true identity, security researchers originally believed that the ransomware was part of a red-team exercise conducted by Sophos itself. Now that the truth is revealed and an investigation is underway, Sophos has begun working on "targeted detection rule for Sophos endpoint security products."
In its report, Sophos also noted that the ransomware executable is a bit dated in regard to its functionality and acts more as a "general-purpose remote access trojan (RAT)" that also has the "capacity to encrypt files and generate these ransom notes." The ransomware encryptor is written in Rust, has multiple references to a Tor website that leads to an affiliate panel for the ransomware operation, and has a command-and-control server (C2) that is linked to Cobalt Strike C2 servers that have been used in past attacks.
About the Author(s)
You May Also Like
Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024