Skip Navigation

July 19, 2023 |

“All your files have been encrypted!”...by Sophos?

Loading table of contents...

Researchers recently discovered a new Ransomware-as-a-Service (RaaS) dubbed SophosEncrypt, due to its misuse of cybersecurity firm Sophos’s logo and brand. Sophos has confirmed that the ransomware is not one of its red team tools and has no affiliation with Sophos. Little is known about the overall RaaS operation; however, researchers were able to obtain a sample of the ransomware for analysis.

When the ransomware is executed, the attacker is prompted to enter a token associated with the intended victim. It then connects to IP address 179.43.154.137:21119 to verify the token's validity.

Researchers noted that this step can be bypassed by disabling the network cards on the victim’s device, allowing the encryptor to run offline. The encryptor will then prompt the user for additional information to be used when encrypting the device, such as a contact email, jabber address, and a 32-character password, which is likely used when encrypting the device.

During the encryption process, the token, email address, and “Sophos” extension are appended to every encrypted file. A ransom note bearing Sophos’s logo is left behind, providing victims with instructions on how to provide payment in return for the decryption of their files.

Sample ransom note wallpaper (Source: Bleeping Computer)

Researchers are still analyzing the SophosEncrypt sample to identify any weaknesses that could allow victims to recover their files for free.

Source: Bleeping Computer

Analysis

The use of Sophos’s name and logo may have been intended to trick users into believing that the ransomware is somehow a legitimate penetration testing tool or aids the malware in evading anti-virus services that have Sophos services white-listed. Given that Sophos has confirmed that its anti-virus service does detect the SophosEncrypt ransomware, the actors were unsuccessful if this was the case.

Another explanation is that the association with Sophos was deliberately intended to discredit Sophos as a company and sow confusion among its users. This could be due to previous Sophos involvement in detecting or disrupting a past ransomware campaign conducted by the same actors who have since held a grudge.

Regardless, it’s highly likely that Sophos has prioritized investigating this ransomware due to its name and will be highly motivated to identify the group behind the attack and develop a decryptor to neutralize the threat it poses.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for new and emerging ransomware and RaaS groups. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate any threats these groups may pose activity. Covalence users are automatically notified when ransomware is detected in their environment and are encouraged to review these AROs as quickly as possible.

Field Effect encourages users to maintain timely backups of their data and store these backups on a separate network. Users should also practice the process of restoring files from backups to ensure it can be done effectively and efficiently during a real incident.

References