Novel SophosEncrypt RaaS operation emerges

BleepingComputer reports that threat actors have established the new SophosEncrypt ransomware-as-a-service operation, which was initially believed by MalwareHunterTeam to be included within Sophos' red team unit before being debunked by the cybersecurity provider's X-Ops team. Sophos noted that initial findings from an investigation of SophosEncrypt revealed that the operation's ransomware samples could be detected by Sophos InterceptX. Further investigation by BleepingComputer showed that SophosEncrypt's Rust-based encryptor seeks valid victim-related tokens to facilitate the data encryption process. Aside from creating a ransom note for every folder with encrypted files, SophosEncrypt also replaces the impacted device's wallpaper to show a message indicating system-wide data encryption with the Sophos logo. Meanwhile, a report by Sophos showed a connection between SophosEncrypt's command-and-control server with known Cobalt Strike C2 servers. "In addition, both samples contain a hardcoded IP address (one we did see the samples connect to). The address has been associated for more than a year with both Cobalt Strike command-and-control and automated attacks that attempt to infect internet-facing computers with cryptomining software," said Sophos.