SophosEncrypt Ransomware Fools Security Researchers

The ransomware-as-a-service offering was first assumed to be a red-team exercise before being detected for true malicious activity.

Dark Reading Staff, Dark Reading

July 19, 2023

1 Min Read
A photo illustration of Sophos logo displayed on a smartphone against computer code backdrop
Source: Igor Golovnov via Alamy Stock Photo

The SophosEncrypt ransomware-as-a-service (RaaS) threat has emerged, after flying under the radar by impersonating cybersecurity vendor Sophos.

The incident was discovered by MalwareHunterTeam (@malwrhunterteam), which posted a series of four images on Twitter with the caption "'### Encryption program -SOPHOS ###' Sophos ransomware?" In response, Sophos (@SophosXOps) tweeted back: "Thanks @malwrhunterteam for the heads up, we found this on [VirusTotal] VT earlier and have been investigating."

Because of the operators using the vendor's name and disguising the malware's true identity, security researchers originally believed that the ransomware was part of a red-team exercise conducted by Sophos itself. Now that the truth is revealed and an investigation is underway, Sophos has begun working on "targeted detection rule for Sophos endpoint security products."

In its report, Sophos also noted that the ransomware executable is a bit dated in regard to its functionality and acts more as a "general-purpose remote access trojan (RAT)" that also has the "capacity to encrypt files and generate these ransom notes." The ransomware encryptor is written in Rust, has multiple references to a Tor website that leads to an affiliate panel for the ransomware operation, and has a command-and-control server (C2) that is linked to Cobalt Strike C2 servers that have been used in past attacks.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights