A new ransomware called ‘SophosEncrypt’ has been discovered, impersonating the cybersecurity firm Sophos as part of its operation. This malware is offered as part of the ransomware-as-a-service (RaaS) business model and has already been used in malicious attacks.
Sophos found that the threat goes beyond typical ransomware capabilities, functioning as a general-purpose remote access trojan (RAT) that can also encrypt files and generate ransom notes.
The malware communicates with its operators via email and Jabber instant messenger, logs keystrokes by hooking the keyboard driver, and abuses WMI commands to profile the system. It also refuses to run on systems set to use the Russian language. Sophos identified two samples of SophosEncrypt, both connecting to a hardcoded IP address previously associated with a Cobalt Strike C&C and crypto-miner distribution attacks. The ransomware appends the ‘.sophos’ extension to encrypted files and changes the desktop wallpaper with a green padlock logo and instructions for contacting the attackers.
Read more: https://www.securityweek.com/new-ransomware-with-rat-capabilities-impersonating-sophos/