On July 17, 2023, the MalwareHunterTeam, a group of cybersecurity researchers, published their analysis of new ransomware, along with screenshots of how it runs. At first glance there is nothing unusual about the malware: it encrypts a computer system’s data and installs a ransom in the encrypted data. However, during its execution, various windows pop up with a seemingly trustworthy title: “Encryption Program – SOPHOS”.
Giving the ransomware the name of the Sophos cybersecurity company reassures the uninformed victim, who is more likely to let the program run. Even MalwareHunterTeam initially believed it to be a legitimate Sophos product running a security test.
When they reached out to Sophos, the latter confirmed it was ransomware, and had nothing to do with its products. The cybersecurity firm revealed that their own tools would prevent this “Sophos Encryption” from running. According to MalwareHunterTeam, the software operates like Ransomware-as-a-Service (RaaS), and is rented out to third parties by developers.