As if one ransomware attack wasn’t bad enough, an organization was attacked by three different prominent threat actors simultaneously. It received three different ransom notes for triple encrypted files.
In its latest whitepaper, cybersecurity company Sophos outlined cases of overlapping cyberattacks, including cryptominers, remote access trojans (RATs), and bots.
Two of the attacks took place within two hours, and the third attack took place two weeks later.
“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted.”
In the past, multiple attacks occurred across many months or multiple years. However, the attacks described in the paper took place within days or weeks of each other at most, suggesting that threat actors are breaching the network by exploiting the same vulnerability.
Typically criminal groups compete with each other or even “kill” their competitors in the same system, making it more difficult for multiple attacks to occur on the same system.
“However, in the attack involving the three ransomware groups, for example, BlackCat — the last ransomware group on the system — not only deleted traces of its own activity but also deleted the activity of LockBit and Hive,”Sophos noted.
In another case, three months after a system was infected by LockBit ransomware, the Karakurt Team members could leverage the backdoor LockBit created to steal data and hold it for ransom.
“On the whole, ransomware groups don’t appear openly antagonistic towards one another. In fact, LockBit explicitly doesn’t forbid affiliates from working with competitors,” said Shier. “We don’t have evidence of collaboration, but it’s possible this is due to attackers recognizing that there are a finite number of ‘resources’ in an increasingly competitive market.”
Cybercriminals might believe that victims pressured by multiple attackers are more likely to pay the ransom.
“Perhaps they’re having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates. At some point, these groups will have to decide how they feel about cooperation, Shier added.”
Most of the initial infections for the attacks, Sophos said, occurred through either an unpatched vulnerability, with some of the most notable being Log4Shell, ProxyLogon, and ProxyShell, or poorly configured unsecured Remote Desktop Protocol (RDP) servers.
“In most of the cases involving multiple attackers, the victims failed to remediate the initial attack effectively, leaving the door open for future cybercriminal activity. In those instances, the same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for follow-up attacks. In fact, exposed RDP and VPN servers are some of the most popular listings sold on the dark web,” Sophos said.
More from Cybernews:
Subscribe to our newsletter