Ransomware is one of the most significant threats facing organizations today. Battling it is no easy task, particularly given that threat actors are continually refining their techniques and approaches.
At the end of 2023, Sophos X-Ops noted a significant increase in ‘remote encryption’ attacks – where ransomware attackers breach a compromised and often under protected endpoint to encrypt data on other devices connected to the same network.
This trend has only accelerated, with Sophos X-Ops now reporting a 50% year-over-year increase in remote ransomware attacks in 2024. That represents a 141% rise since 2022, underscoring the prevalence of this threat.
Remote encryption was relatively low throughout 2022 and the first half of 2023, but it increased significantly in the latter half of 2023. Since then, it’s remained at relatively high levels (albeit with some ups and downs).
Rising Trend of Remote Ransomware
While remote encryption is not new, it has become increasingly common among modern ransomware groups since it can bypass many endpoint security products. That’s because the files are encrypted out of view of defensive capabilities, such as memory scanning and behavior monitoring.
Microsoft’s 2023 Digital Defense Report, observed that around 60% of human-operated ransomware attacks involved remote encryption, with 80% of all compromises originating from unmanaged devices. In its 2024 report, Microsoft also found that 70% of successful attacks involved remote encryption.
Chester Wisniewski, director and global field CISO at Sophos, said, “Remote encryption has now become a standard part of ransomware groups’ bag of tricks. Every organization has blind spots and ransomware criminals are quick to exploit weaknesses once discovered. Businesses need to be hypervigilant in ensuring visibility across their entire estate and actively monitor any suspicious file activity.”
What to Do to Stay Protected
To stay secure against remote ransomware, Sophos recommends the following:
- Practice active asset management – Regularly track all devices and endpoints to identify vulnerabilities and unauthorized access
- Identify unmanaged machines – Continuously scan for rogue devices that could serve as entry points for attacks
- Use security solutions that monitor file activity – Implement tools to track file movements and transfers in real time to detect suspicious behavior
- Practice good cybersecurity hygiene – Enforce strong passwords, regular updates, multi-factor authentication, and employee training to reduce risks
