In a concerning trend, ransomware groups are increasingly turning to remote encryption as a tactic, marking a significant escalation in strategies employed by financially motivated threat actors to ensure the success of their campaigns.

According to Mark Loman, Vice President of Threat Research at Sophos, the risk lies in the fact that companies can have thousands of computers connected to their networks. With remote ransomware, just one underprotected device can compromise the entire network. Loman warns that attackers actively seek out this weak spot, and most companies have at least one vulnerable entry point, making remote encryption an ongoing challenge for defenders.

Remote encryption, also known as remote ransomware, occurs when a compromised endpoint is used to encrypt data on other devices within the same network. Microsoft revealed in October 2023 that around 60% of ransomware attacks now involve malicious remote encryption, with over 80% of compromises originating from unmanaged devices.

Ransomware families supporting remote encryption include Akira, ALPHV/BlackCat, BlackMatter, LockBit, and Royal. This technique has been in use since as far back as 2013 when CryptoLocker targeted network shares, according to Sophos.

A notable advantage of remote encryption is that it renders process-based remediation measures ineffective. Additionally, managed machines may not detect malicious activity since it is primarily present in unmanaged devices.

This development comes amidst broader shifts in the ransomware landscape, with threat actors adopting atypical programming languages, targeting beyond Windows systems, auctioning stolen data, and strategically launching attacks after business hours and on weekends to evade detection and response efforts.

Sophos, in a recent report, highlighted the “symbiotic – but often uneasy – relationship” between ransomware gangs and the media. This relationship serves not only to attract attention but also to control the narrative and dispute what they perceive as inaccurate coverage. Ransomware groups engage with the media by publishing FAQs and press releases on their data leak sites, correcting mistakes made by journalists, and even offering information to journalists through channels like a ‘PR Telegram channel.’

The report also points out the professionalization of cybercrime, with groups like RansomHouse actively engaging with journalists and using catchy names and slick graphics to enhance their notoriety.

While ransomware groups like Conti and Pysa are known for adopting an organizational hierarchy, evidence suggests that some advertise opportunities for English writers and speakers on criminal forums. Sophos emphasizes that media engagement provides ransomware gangs with tactical and strategic advantages, allowing them to apply pressure to victims, shape the narrative, inflate their notoriety, and further ‘mythologize’ themselves.