Skip to main content

Hackers are pretending to be cybersecurity firm to lock your entire PC

As hackers come up with new ways to attack, not even trustworthy names can be taken at face value. This time, a ransom-as-a-service (RaaS) attack is being used to impersonate a cybersecurity vendor called Sophos.

The RaaS, referred to as SophosEncrypt, can take hold of your files — or even your whole PC — and requires payment to have them decrypted.

"### Encryption program – SOPHOS ###"
Sophos ransomware?

— MalwareHunterTeam (@malwrhunterteam) July 17, 2023

Initially reported by MalwareHunterTeam on Twitter, the ransomware has now been acknowledged by Sophos. The initial thought was that this may have been a red team exercise by the cybersecurity firm, which is a form of testing where a team of experts tries to breach an organization’s security system to see how the defenses hold up against attacks. However, as it turns out, SophosEncrypt has nothing to do with Sophos, other than stealing its name, perhaps to add more gravity and urgency for people to pay up.

“We found this on VT (Virus Total) earlier and have been investigating. Our preliminary findings show Sophos InterceptX protects against these ransomware samples,” said Sophos in a tweet, referring to its proprietary endpoint protection tool.

It’s currently unclear how the RaaS spreads, but some of the most common methods include phishing emails, malicious websites or popup ads, and software vulnerabilities. BleepingComputer reports that the ransomware operation is currently active, and it goes into some detail on how the file encryptor operates.

The encryptor requires a token associated with the victim, and this token is later verified online before the attack can be carried out. However, researchers found that this can be bypassed by disabling network connections. Once the tool is operational, it gives the attacker the choice to encrypt certain files or even the entire device. The encrypted files then use the extension “.sophos.”

Ransom note left by SophosEncrypt.

As you can see in the above screenshot, the victim is then asked to contact the attackers to decrypt their files. Unsurprisingly, the payment is made through cryptocurrency, which is a lot harder to track and pursue for the authorities than a simple bank transfer. The desktop wallpaper in Windows is also changed at this point, alerting the user that their files have been encrypted. It uses the Sophos name.

Sophos has been able to track down some information about the attackers. It said in its report, “The address has been associated for more than a year with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with crypto-mining software.”

What can you do to stay safe at a time when ransomware attacks are on the rise? The advice is the same as usual — be careful and do not accept any files from people you don’t know. Keep in mind that even people you’re friends with could get hacked and spread malicious files under the guise of sending you something. In addition, remember that no legit cybersecurity company would ever encrypt your files and ask you to pay for their recovery, so protect yourself — if something seems off, it probably is.

Editors' Recommendations

Monica J. White
Monica is a UK-based freelance writer and self-proclaimed geek. A firm believer in the "PC building is just like expensive…
This Chrome extension lets hackers remotely seize your PC
A depiction of a hacker breaking into a system via the use of code.

Malicious extensions on Google Chrome are being used by hackers remotely in an effort to steal sensitive information.

As reported by Bleeping Computer, a new Chrome browser botnet titled 'Cloud9' is also capable of logging keystrokes, as well as distributing ads and malicious code.

Read more
Hackers have found a way to hack you that you’d never expect
A depiction of a hacker breaking into a system via the use of code.

A security flaw has allowed a ransomware gang to effectively prevent antivirus programs from running properly on a system.

As reported by Bleeping Computer, the BlackByte ransomware group is utilizing a newly discovered method related to the RTCore64.sys driver to circumvent more than 1,000 legitimate drivers.

Read more
A new phishing scam pretends to be your boss sending you an email
how to back up emails in outlook laptop

One of the latest email scams is a simple yet masterful ploy that gets companies to give up money under the guise of communicating with senior members of an organization within an email chain.

As reported by ZDNet, the scam is called a business email compromise (BEC) campaign and is described as a prompt where a nefarious actor, disguised as a company boss, sends an email that looks like a forwarded email chain, with instructions to an employee to send money. Targets of this type of scam are typically employees in the finance department or someone who has the ability to send wire transfers.

Read more