In 2013, CryptoLocker introduced the modern ransomware playbook. It also introduced something most of the industry has still not come to terms with: remote encryption. A compromised machine reaching across the network to encrypt a file server, leaving the protected server with no malicious process to terminate, no binary to quarantine, and no signal strong enough for EDR to act on with certainty.

In December 2023, a Microsoft study highlighted remote encryption in 60% of successful human-operated ransomware attacks, with 80% originating from unmanaged devices. The 2024 Microsoft Digital Defense Report, released ten months later, updated those figures to 70% and 92%. 

The trend has only worsened since: Sophos telemetry shows remote encryption attacks rose 50% from 2023 to 2024, and another 55% from 2024 to 2025. The attack technique has been consistent for more than a decade. Most leading endpoint protection solutions look for encryption-like behavior. In contrast, Sophos Endpoint’s CryptoGuard capability recognizes encryption of the data itself. That is not a small difference. It is the difference.

Sophos shipped CryptoGuard in 2016 to close that gap. It does not look at the attacker's process, binary, behavior, or reputation. Instead, it watches the data inline with file read and write operations, transparently and at the file system layer, and acts when content is being transformed in a way consistent with encryption. 

The analysis is built from the data itself in real time, on the endpoint, as the I/O passes through. There is no cloud round-trip, no telemetry stream waiting to be correlated, and no decision deferred to a downstream pipeline. When the analysis crosses the threshold, CryptoGuard intervenes and rolls back the affected files using a proprietary journaling mechanism. The core strategy has remained substantially unchanged in nearly a decade. 

Because the math is the math, CryptoGuard has detected every subsequent ransomware family on first encounter, without signature updates or model retraining.

CryptoGuard does not exempt a process because it is trusted, signed, or well-known. A trusted process under attacker control, or running attacker-injected code, is still a threat. Legitimate encryption is recognized automatically from its operational context: a process encrypting its own data in its normal working locations looks different from ransomware encrypting a user's documents or centralized data. 

CryptoGuard is on by default, requires no tuning, and has been running at scale across millions of endpoints in every major industry sector for over a decade. It continues to stop ransomware in environments where other defenses miss it, in attacks that would otherwise pay out.

We do not claim CryptoGuard cannot be evaded. A skilled adversary can find edge cases in any defense. We claim that this approach raises the bar substantially above what most endpoint protection products offer today. Friction at the right layer is where defenders win.

The visibility problem

To extract a ransom through encryption, the attacker must do one thing: damage data in a way that is reversible only with their key. Everything else (the loader, the file extension, the ransom note, the process name) is signal that Endpoint Detection and Response (EDR) tools surface to alert humans, scope the breach, and inform the response.

But the signal must exist before it can reach a decision point. In a remote encryption scenario, the encrypting binary is on an unmanaged device, an IoT endpoint, a shadow VM, or a third-party system across a trust boundary. None of those have an EDR agent. There is no telemetry to stream, no events to correlate, no signal to act on. The encryption arrives at the protected file server as ordinary file-share writes from a trusted authenticated session. There is some signal (file accesses, renames, the eventual ransom note), but it arrives without certainty and after thousands of files have already been encrypted. 

And critically, even when EDR does correlate it into a confident detection, the response toolkit was not built to stop the attack. Most antivirus, endpoint and EDR products were designed to block known malicious URLs, terminate known malicious local processes, and quarantine known malicious local binaries. They were not designed to block a peer machine on the local network performing legitimate-looking file-share writes from a valid authenticated session.

Even when telemetry does exist, cloud-driven response requires transmission, correlation, decision, and dispatch back to the endpoint. Vendors describe this as "near real-time," and the fastest streaming architectures aim to complete the round-trip in seconds. In practice, end-to-end latency for many products and many event types is still measured in minutes. While that round-trip is happening, modern ransomware encrypts at speed: tens of thousands of files per minute on a modest file server is well within reach. Multithreading parallelizes encryption across cores. Partial encryption (the go-to choice for current Ransomware-as-a-Service (RaaS) offerings) corrupts only a portion of each file, enough to make data unrecoverable without the key but small enough that, in remote scenarios, only a fraction of each file needs to traverse the network. The attack window is seconds not hours. 

Modern ransomware is also tunable. Affiliates running real ransomware-as-a-service offerings (Qilin, RansomHub, Akira, Fog, Sinobi, and others) configure each deployment with command-line parameters that strip the visible signals: --no-extension, --no-note, --no-local, --ips, --path. Other parameters defeat defenses elsewhere in the chain: --password gates execution behind an attacker-supplied key, --nomutex allows multiple instances to run in parallel against different remote targets simultaneously. Each of these reduce visibility to EDR solutions. 

This is why attackers do not need novel ransomware to evade many EDR solutions. Deploying an existing family from a remote unmanaged machine, leaked LockBit builders, Conti binaries, any tooling from the past several years, will still encrypt against most leading endpoint products. The architecture is the vulnerability, not the binary.

Why AI does not change the math

AI lowers the bar for ransomware. Novices who could not previously write working code can now generate functional encryptors with AI assistance, expanding the pool of potential attackers from a narrow set of skilled developers to anyone with intent and an LLM. That is a real shift, and it is worth taking seriously.

Before going further, it is worth being clear about scope. AI is reshaping other parts of the attack chain. Phishing is more effective. Identity attacks are more numerous. Social engineering is more convincing. Initial access is getting cheaper for the attacker. This article is about what happens after those defenses have been bypassed, the attacker is inside, and the encryption begins. The architectural defense problem at that layer is what AI does not change.

Three things in the public conversation about AI-generated ransomware are easy to miss.

First, AI changes the code, not the goal. Ransomware exists to convert plaintext into ciphertext that the victim cannot reverse without paying. Real-world ransomware overwhelmingly uses public-private key cryptography (RSA, ChaCha20, AES) for the same reason banks do: it is the mathematics of irreversibility-without-the-key. AI does not invent better cryptography for ransomware; it uses what works.

Second, the output of encryption has fingerprints. Ciphertext is statistically distinguishable from structured data. A normal Office document has predictable structure: a ZIP header, an XML schema, repeated text patterns. An encrypted version has none of that. CryptoGuard's content-based mathematical analysis harnesses that observation. It does not need to know the ransomware variant or family. It needs to recognize what an encrypted file looks like compared to its predecessor, which is a question of mathematics, not threat intelligence.

Third, AI is not what makes the current ransomware problem unsolvable for most defenders. There is no confirmed public record of AI-generated ransomware in the wild yet. Attackers do not need it. They can take any known ransomware family and run it remotely from a single compromised, unmanaged machine. That alone defeats most fully patched, fully protected networks, because most EDR protection is not designed to stop encryption arriving from a source they cannot see. The architectural gap is already here.

A natural question follows: does CryptoGuard use AI itself? It does not. The analysis is mathematical and deterministic. There is no learned model that needs retraining as ransomware evolves, no training data distribution to bias the result, no adversarial inputs that can fool a classifier into accepting ciphertext as a legitimate write. CryptoGuard's mathematical analysis is the power behind detecting ransomware. 

Why this is not a feature update

Watching the attacker and watching the data are fundamentally different engines, not minor variations of the same approach. A vendor cannot simply bolt content-based mathematical analysis onto a process-centric EDR via a signature update or a new behavior rule. The detection must reside beneath the process at the file system layer, with direct access to the reads and writes themselves and a proprietary journaling mechanism to enable rollback. 

The initial implementation is not what takes years; with the right team, a prototype can be built in months. The true challenge lies in the deep knowledge of Windows internals required to run seamlessly in production at scale, and the infrastructure necessary to ensure the engine works alongside legitimate encryption without causing operational disruption. This is engineering at a layer most security vendors do not work at. It requires a different mindset, a different skill set, and a level of field experience that cannot be hired into existence.

There is also an economic dimension. Ransomware-as-a-service is a business. Affiliates tune their binaries against the protection products with the largest installed base, because that is where the return on engineering effort is highest. The standard playbook (signed binaries, in-process injection,  driver abuse, configurable parameters) is calibrated to defeat the standard defenses. A defense built on a different concept is not where the attacker spent their development time. That is not a permanent moat, but it is a real one.

CryptoGuard is also not a separate process running on the machine. It is part of how the operating system handles file writes. There is no agent for an EDR-killer to terminate. Throughout 2024 and 2025, ransomware operators increasingly used vulnerable signed drivers to terminate user-mode security agents and detection services before the encryptor runs. Most tools target processes. CryptoGuard is not one. When the rest of the stack falls, CryptoGuard keeps the data safe. You may lose telemetry. You will not lose your files.

The industry is starting to admit it

Through 2025, several major endpoint vendors began publicly acknowledging the remote ransomware problem and shipping their first attempts at a response. One vendor's recent statement put it directly: "Ransomware is evolving fast, and remote encryption attacks outpace legacy defenses." Another shipped a rollback feature with a 30 MB per-file size limit, which excludes many business documents that ransomware actually targets.

These are notable acknowledgments of an attack pattern Sophos has been protecting against since 2016. The implementations matter less than the acknowledgment. As shipped, the new layers are typically off by default, scoped to static file extension patterns (which modern ransomware specifically evades), constrained by file size limits, or offer no rollback at all. They confirm how hard the destination is to reach when the underlying engine was designed for a different problem.

The cost of arriving late is paid by customers. Since 2013, ransomware has hit hospitals, schools, manufacturers, public services, and critical infrastructure on a near-daily basis. The impact is often physical: postponed surgeries, cancelled treatments, halted production lines, closed schools. In 2025, a remote encryption attack on a third-party aviation provider took down passenger and baggage systems at major European airports, with disruption measured in days and stranded passengers measured in hundreds of thousands. 

Questions worth asking

When evaluating ransomware defense, the questions that matter are practical.

• Does the protection layer watch the data being modified, or only the process doing the modifying?
• Does it work when the encrypting process is on a different machine the vendor has no agent on?
• Does it work when the encrypting process is a legitimate, trusted process with injected code?
• Does the response happen locally and inline, or does it depend on a cloud round-trip?
• Does it recover the encrypted files, or only stop further encryption?
• Can the protection layer be disabled by an EDR-killer that takes down user-mode services?
• Has the protection caught novel ransomware families without updates?
• Is the protection on by default?

Most vendors will say they have ransomware protection. The questions above will tell you what kind.

The bottom line

Ransomware doesn't need AI to be a problem. The problem has been the same since 2013: an attacker damages data, demands a payment, and most endpoint protection is set up to detect the attacker rather than the damage. AI may make the attacker faster, cheaper, and more numerous. It will not change what the attacker has to do.

AI writes the code. Sophos watches the data. The math doesn't change.

To learn more about Sophos Endpoint and take it for a test drive, visit sophos.com/endpoint