In the complex world of cyber threats, it’s vital to stay updated on the latest tactics, techniques, and procedures (TTPs) employed by threat actors. Today, we explore a recent ransomware-as-a-service (RaaS) threat named SophosEncrypt, which has managed to fly under the radar by impersonating cybersecurity vendor Sophos. This incident was discovered by MalwareHunterTeam and has since been investigated by Sophos.
The Threat
SophosEncrypt is a unique ransomware threat that initially fooled security researchers into believing it was part of a red-team exercise conducted by Sophos itself. This was due to the threat actors using the vendor’s name and disguising the malware’s true identity. However, upon further investigation, the true malicious nature of the ransomware was revealed.
The ransomware executable is somewhat dated in its functionality, acting more as a “general-purpose remote access trojan (RAT)” that also has the “capacity to encrypt files and generate ransom notes.” The ransomware encryptor is written in Rust, has multiple references to a Tor website leading to an affiliate panel for the ransomware operation, and has a command-and-control server (C2) linked to Cobalt Strike C2 servers used in past attacks.
MITRE ATT&CK TTPs
The threat actors used a variety of tactics and techniques that align with the MITRE ATT&CK framework. These include:
- Masquerading (T1036): The threat actors impersonated the cybersecurity vendor Sophos to disguise the malware’s true identity.
- Command and Control Infrastructure (T1583): The ransomware has a command-and-control server (C2) linked to Cobalt Strike C2 servers used in past attacks.
Indicators of Compromise (IOCs)
At this time, specific IOCs related to SophosEncrypt have not been provided. However, the presence of unexpected network traffic related to Sophos or unusual encryption activities could be potential signs of compromise.
Conclusion
This activity serves as a reminder of the importance of maintaining up-to-date systems and being aware of the latest threats. It also highlights the lengths to which threat actors will go to disguise their malicious activities, including impersonating reputable cybersecurity vendors.
Further Reading
For more information on this topic, please refer to the original article by Dark Reading.