SophosEncrypt: Researchers expose new ransomware abusing the Sophos name

The executable uses 'Sophos' in the ransom notice and the '.sophos' extension for encrypted files

Cybersecurity researchers have uncovered a new ransomware-as-a-service (RaaS) called 'SophosEncrypt' that has been disguising itself as the well-known cybersecurity provider Sophos, thus masking its true identity and intentions.

The initial disclosure of the new ransomware came from MalwareHunterTeam.

At first, the new ransomware was believed to be a part of a red team exercise conducted by Sophos. However, the Sophos X-Ops team was quick to clarify that they were not responsible for creating the encryptor.

Sophos said an investigation was already underway to understand the origins and intentions behind the new ransomware.

ID Ransomware also revealed a single sample submission from a victim who fell prey to the ransomware, indicating that the RaaS operation is currently active and causing infections.

Internally, the ransomware's executable has been named 'sophos_encrypt,' hence the name it has acquired as SophosEncrypt.

On Tuesday, Sophos published a comprehensive report on the SophosEncrypt ransomware.

The firm said a Sophos X-Ops analyst discovered the new executable during a routine search on VirusTotal aimed at identifying emerging ransomware variants.

As researchers delved deeper into SophosEncrypt, they made some crucial findings about its operation and functionalities.

The executable displayed "Sophos" in the user interface of the panel, which was used to alert victims that their files had been encrypted. Additionally, it employed the ".sophos" extension for the encrypted files.

Sophos said the ransomware executable is compiled using MinGW and incorporates linked Rust libraries. However, some peculiar characteristics set SophosEncrypt apart from typical ransomware campaigns.

Analysis of one sample revealed that the executable possesses capabilities extending beyond merely encrypting files.

Secondly, the ransomware's communication methods with the attacker - email and the Jabber instant messenger platform - are no longer employed by most ransomware groups, the researchers said.

However, like other ransomware strains, it avoids encrypting specific directories to prevent hindering the system's booting process or encrypting unimportant files. It also performs a check on the system's language settings, and refuses to execute if the machine is set to use the Russian language.

Researchers examining a second sample of SophosEncrypt found that it exhibited fewer atypical ransomware features compared to the first sample.

However, both samples established connections over the internet to a command-and-control server address, with the connection referencing an address on the Tor (.onion) dark web.

Both samples also contained a hardcoded IP address, which has been associated with Cobalt Strike command-and-control activities.

Sophos said the samples have been designed to be executed in the Windows command line. When run in the Windows Command Prompt application, the ransomware prompts the RaaS affiliate to input specific information, configuring the ransomware's behaviour and determining the contents of the ransom note it eventually drops on the victim's system.

The program initiates a prompt for the RaaS affiliate to input specific information, which includes: "password encrypted (32 characters)", "token", "email address", and "Jabber instant messaging account address".

Upon entering this information, the interactive program presents the affiliate with three options:

1. "Encrypt all files on the hard drive"

2. "Encrypt a single drive letter":

3. "Quit the program"

If the affiliate chooses either the "single" or "all" options, the ransomware proceeds to encrypt the files as instructed and renames the encrypted files using the "token" value in their filenames.

Furthermore, the ransomware adds the provided email address and Jabber address to the ransom note, which is in the form of an HTML Application (.hta file).

During the testing phase, it was found that the ransomware incorporates a validation mechanism to verify the affiliate's permission before executing on a computer connected to the internet. In other words, the ransomware attempts to ensure that the person running it has the authority to initiate the encryption process.

"In our tests, the ransomware also was capable of performing encryption tasks when it was run on a computer not connected to the internet," Sophos added.