Remote ransomware: What is and how to stop it


Remote ransomware, also known as malicious remote encryption, is a complex attack that uses compromised endpoints to encrypt data throughout a victim’s network. According to a recent analysis of Sophos, remote ransomware is used within about 60% of human-run ransomware attacks — and it’s a significant threat to most organizations that aren’t prepared or using lackluster endpoint security.

What is remote ransomware?

Once an attacker with ransomware on their mind gains control of a networked endpoint, they will use that compromised endpoint as a means to encrypt data on other devices on the same network. This is what remote ransomware attacks are all about. One of the things that makes remote ransomware so treacherous for organizations is that the attacker can avoid triggering all of the target device’s security defenses, whether ingress analysis and blocking, payload execution, and encryption—on the endpoint they’ve already compromised.

The newly targeted device never sees it coming. One of the primary signs of a remote ransomware attack, says Sophos, is the unusual transmission of documents to and from the compromised device.

Once attackers succeed in compromising a device, they can leverage the organization’s domain architecture to encrypt data on managed domain-joined machines. All the malicious activity – ingress, payload execution, and encryption – occurs on the already-compromised machine, therefore bypassing modern security stacks. The only indication of compromise is the transmission of documents to and from other machines.

Notably, and not surprisingly, 80% of these attacks originate from unmanaged devices within the network.

The prevalence and danger of remote ransomware

Cybercriminals favor remote ransomware attacks because they can scale. This scalability also makes these attacks dangerous to enterprises. That’s because a single vulnerable endpoint will jeopardize an entire organization's network, even if all other devices are protected by advanced security protections. Attackers are also not limited to specific ransomware variants, as many well-known families like WannaCry, Ryuk, and LockBit all support remote encryption capabilities.

Traditional endpoint security products often fail to spot and stop remote ransomware attacks because they focus on detecting malicious files and processes on the protected endpoint. However, because the malicious processes run on the compromised machine in remote ransomware attacks, these security products are rendered ineffective in stopping the spread of encrypted networked endpoints.

Sophos recommends organizations seek security tools that can identify remote ransomware tactics and stop those tactics before damage can be done.

Tools required to stop remote ransomware

Enterprises should seek modern endpoint tools that are designed to defend against remote encryption attacks. Such tools would analyze data files for signs of malicious encryption, regardless of where the processes are running. This enables the security technology to effectively stop all forms of ransomware, including remote attacks and even new, unknown variants.

The capabilities enterprises should seek include:

  • Detecting malicious encryption by analyzing file content with mathematical algorithms.
  • Blocking both local and remote ransomware attacks by focusing on the content of files rather than the presence of malicious code.
  • Automatically rolling back malicious encryption by creating temporary backups of files and restoring them to their unencrypted state.
  • Automatically blocking remote devices attempting to encrypt files on the victim's machine.
  • Protecting the master boot record from encryption or wiping attacks.

Of course, preventing and mitigating the impact of these remote ransomware attacks also takes good cybersecurity hygiene. That includes effective firewall configurations that block suspected IP addresses, employ geo-filtering, restricting outbound traffic, and regularly reviewing firewall rules so that they’re as tight as possible.

Other effective measures include implementing a layered security program, that includes attack surface management, security awareness training, system and data backups, and amble incident detection and response capabilities.

Other considerations include strong authentication, including potentially a zero-trust architecture, and network segmentation.

To ensure comprehensive protection, organizations should deploy modern endpoint defenses across all endpoints and use network detection and response (NDR) capabilities to monitor network traffic, identify unprotected devices, and detect rogue assets within the environment. Organizations not currently taking such steps are at a higher risk of falling victim to remote ransomware attacks.

Remote ransomware represents a significant threat to organizations due to its ability to spread rapidly across networks from a single compromised endpoint. Sophos recommends focusing on the behavior of file encryption rather than just malicious code to beat this growing cybersecurity challenge.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.