Insidious ransomware takes advantage of users' faith in a well-known brand.
On July 17, researchers from the MalwareHunterTeam discovered "SophosEncrypt," a new type of ransomware that takes advantage of the good name of Sophos, a well-known cybersecurity company.
This was initially assumed to be part of the Red Team exercises of Sophos specialists. However, the X-Ops team quickly denied any involvement in this software and released a comprehensive report that included an analysis of the malware.
SophosEncrypt, according to the researchers, operates on the RaaS model and has an easy-to-use web-based management panel. The encoder is written in Rust and stores its libraries in the directory "C:\/Users\Dubinin" on Windows. The sophos encrypt programme is located within this directory, which is why the researchers gave it this name.
Icon of ransomware executable
When activated, the encryptor requests that an attacker who has paid for access to the program's infrastructure remotely enter a token associated with the victim, which is most likely obtained from the malware's web shell.
When you enter a valid token, the encryptor requests additional information for encryption: an email address, a Jabber address, and a 32-character password to be used in the algorithm. Furthermore, the software allows the criminal to encrypt specific files or the entire computer.
After successful encryption, a token, an email, and a ".sophos" extension are added to the encrypted files, and a ransom note "information.hta" is created in each folder of the system, which is also automatically launched. Furthermore, the desktop wallpaper is changed to the Sophos logo, further discrediting the company.
After encryption is complete, this wallpaper is set.
According to the Sophos researchers, the malware is more like a generic remote access Trojan than a specifically targeted ransomware. These capabilities include keylogging and system profiling via WMI commands, for example.
Interestingly, the malware also checks the language settings in the system and refuses to start if they are set to Russian, raising questions about the program's authorship.
Sophos experts discovered several malware samples, some of which did not contain any ransomware at all. All instances, however, were connecting to the IP address used by the Cobalt Strike malware framework.
Sophos researchers provided the necessary indicators of compromise (IoC) to block malware in their report, and they have already added it to their own antivirus software's database.
This incident demonstrates that attackers frequently use deception and manipulation to mislead users. Using the well-known and respected Sophos brand to spread malware is a devious move that preys on people's trust. Such attacks are dangerous because people may launch a malicious programme without hesitation when they see a familiar name or logo.
Users must be vigilant and cautious to avoid such incidents. Even seemingly trustworthy sources should not be trusted blindly. Before running any files or programmes, double-check their origin. Be cautious and don't fall for scammers' tricks. Only a critical and rational approach will aid in the protection of your data and devices.