cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Ransomware operators are increasingly using remote encryption in their attacks

Researchers at Sophos have spotted a scary new trend among cyber criminals.

user icon David Hollingworth
Thu, 21 Dec 2023
Ransomware operators are increasingly using remote encryption in their attacks
expand image

Ransomware attacks may have dropped off in the last few months, but many of the most prolific threat actors are switching up their tactics to include remote encryption.

According to research from Sophos, some of the larger operators are increasingly using remote encryption techniques as part of their attacks. This includes threat actors such as Akira, ALPHV/BlackCat, LockBit, Royal, and Black Basta – all of whom have been very active in 2023 and nearly all of whom have been active in Australia.

What makes remote encryption such a threat is right there in the name – it can remotely encrypt files across a network via a single unprotected endpoint. Based on the results of Sophos’ own CryptoGuard tech – which it acquired in 2015 – Sophos has seen such attacks rise by 62 per cent year on year since 2022.


Given the remote nature of the attack, it’s difficult for some anti-ransomware software to even spot the attack as it is happening.

“Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one under-protected device to compromise the entire network,” said Mark Loman, vice-president of threat research at Sophos, in a statement. “Attackers know this, so they hunt for that one ‘weak spot’ – and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders, and, based on the alerts we’ve seen, the attack method is steadily increasing.”

“Remote ransomware is a prominent problem for organisations, and it is contributing to the longevity of ransomware in general. Given that reading data over a network connection is slower than from a local disk, we have seen attackers, like LockBit and Akira, strategically encrypt only a fraction of each file,” Loman said.

“This approach aims to maximise impact in minimal time, further reducing the window for defenders to notice the attack and respond. Sophos’ approach to anti-ransomware technology stops both remote attacks and those that encrypt just 3 per cent of a file. We’re hoping to inform defenders about this persistent attack method so they can properly protect devices.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.