The SophosEncrypt ransomware-as-a-service (RaaS) threat has emerged, after flying under the radar by impersonating cybersecurity vendor Sophos.
The incident was discovered by MalwareHunterTeam (@malwrhunterteam), which posted a series of four images on Twitter with the caption "'### Encryption program -SOPHOS ###' Sophos ransomware?" In response, Sophos (@SophosXOps) tweeted back: "Thanks @malwrhunterteam for the heads up, we found this on [VirusTotal] VT earlier and have been investigating."
Because of the operators using the vendor's name and disguising the malware's true identity, security researchers originally believed that the ransomware was part of a red-team exercise conducted by Sophos itself. Now that the truth is revealed and an investigation is underway, Sophos has begun working on "targeted detection rule for Sophos endpoint security products."
In its report, Sophos also noted that the ransomware executable is a bit dated in regard to its functionality and acts more as a "general-purpose remote access trojan (RAT)" that also has the "capacity to encrypt files and generate these ransom notes." The ransomware encryptor is written in Rust, has multiple references to a Tor website that leads to an affiliate panel for the ransomware operation, and has a command-and-control server (C2) that is linked to Cobalt Strike C2 servers that have been used in past attacks.