SophosEncrypt ransomware impersonates cybersecurity firm Sophos

A new ransomware-as-a-service called SophosEncrypt is impersonating cybersecurity giant Sophos, using the company name for its malicious activities.

The ransomware was initially mistaken for a red team exercise by Sophos, but the Sophos X-Ops team confirmed that they did not create the encryptor and are currently investigating its origin.

Sophos, upon discovering the ransomware on VT (VirusTotal), has been conducting a thorough investigation. They have preliminarily determined that Sophos InterceptX provides protection against these ransomware samples, as stated in their tweet.

In addition, ID Ransomware has received submissions from infected victims, indicating that this active Ransomware-as-a-Service operation is underway.

Although there is limited information available regarding the promotion and operation of this RaaS, MalwareHunterTeam managed to obtain a sample of the encryptor, offering a glimpse into its functioning.

Named SophosEncrypt due to its internal name, the ransomware encryptor is coded in Rust and utilises the 'C:\Users\Dubinin' path for its crates. It has already been identified and added to ID Ransomware's detections.

Moreover, the ransomware possesses the capability to modify the Windows desktop wallpaper, boldly displaying as the 'Sophos' brand that it is masquerading.