Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt, with the threat actors using the company name for their operation.
Discovered yesterday by MalwareHunterTeam, the ransomware was initially thought to be part of a red team exercise by Sophos.
However, the Sophos X-Ops team tweeted that they did not create the encryptor and that they are investigating its launch.
“We found this on VT earlier and have been investigating. Our preliminary findings shows Sophos InterceptX protects against these ransomware samples,” tweeted Sophos.
Furthermore, ID Ransomware shows one submission from infected victims, indicating that this Ransomware-as-a-Service operation is active.
While little is known about the RaaS operation and how it is being promoted, a sample of the encryptor was found by MalwareHunterTeam, allowing us to get a quick look at how it operates.
The SophosEncrypt ransomware
The ransomware encryptor is written in Rust and uses the ‘C:\Users\Dubinin\’ path for its crates. Internally, the ransomware is named ‘sophos_encrypt,’ so it has been dubbed SophosEncrypt, with detections already added to ID Ransomware.
When executed, the encryptor prompts the affiliate to enter a token associated with the victim that is likely first retrieved from the ransomware management panel.
When a token is entered, the encryptor will connect to 179.43.154.137:21119 and verify if the token is valid. Ransomware expert Michael Gillespie found it possible to bypass this verification by disabling your network cards, effectively running the encryptor offline.
When a valid token is entered, the encryptor will prompt the ransomware affiliate for additional information to be used when encrypting the device.
This information includes a contact email, jabber address, and a 32-character password, which Gillespie says is used as part of the encryption algorithm.
The encryptor will then prompt the affiliate to encrypt one file or encrypt the entire device, as shown below.
When encrypting files, Gillespie told BleepingComputer that it uses AES256-CBC encryption with PKCS#7 padding.
Each encrypted file will have the entered token, the entered email, and the sophos extension appended to a file’s name in the format :.[[]].[[]].sophos. This is illustrated below in a test encryption by BleepingComputer.
In each folder that a file is encrypted, the ransomware will create a ransom note named information.hta, which is automatically launched when the encryption is finished.
This ransom note contains information on what happened to a victim’s files and the contact information entered by the affiliate before encrypting the device.
The ransomware also has the capability to change the Windows desktop wallpaper, with the current wallpaper boldly displaying the ‘Sophos’ brand that it is impersonating.
To be clear, this wallpaper was created by the threat actors and has no association with the legitimate Sophos cybersecurity company.
The encryptor contains numerous references to a Tor site located at http://xnfz2jv5fk6dbvrsxxf3dloi6by3agwtur2fauydd3hwdk4vmm27k7ad.onion.
This Tor site is not a negotiation or data leak site but rather what appears to be the affiliate panel for the ransomware-as-a-service operation.
Researchers are still analyzing the SophosEncrypt to see if any weaknesses could allow the recovery of files for free.
If any weaknesses, or encryption issues, are found, we will publish an update to this article.
Update 7/18/23: After publication of our story, Sophos also released a report on the new SophosEncrypt ransomware.
According to their report, the ransomware gang’s command and control server at 179.43.154.137 is also linked to Cobalt Strike C2 servers used in previous attacks.
“In addition, both samples contain a hardcoded IP address (one we did see the samples connect to),” explains Sophos’ report.
“The address has been associated for more than a year with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with cryptomining software.”