Just one unpatched vulnerability can soon attack three or more ransomware groups to infiltrate a network in swoop in

In a recently-release whitepaper, Sophos has revealed forensics showing that three prominent ransomware gangs—Hive, LockBit and BlackCat—had attacked the same victim network consecutively.

The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang had left its own ransom demand, and some of the files ended up being triple-encrypted. 

According to a senior security advisor of the firm, John Shier: “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cybersecurity that includes prevention, detection and response is critical for organizations of any size and type—no business is immune.”

Shier said Sophos had begun seeing organizations falling victim to multiple attacks simultaneously in 2021, and had indicated that this may be a growing trend. “While the rise in multiple attackers is still based on anecdotal evidence, the availability of exploitable systems gives cybercriminals ample opportunity to continue heading in this direction,” he said.

Racing for ransoms
The whitepaper further outlined additional cases of overlapping cyberattacks, including cryptominers, remote access trojans (RATs) and bots.

In the past, such consecutive attacks usually occurred across many months or multiple years. Now, they have been observed within days or weeks of each other—and, in one case, simultaneously. Often, these chains of attacks involved different attackers accessing a target’s network through the same vulnerable entry point.

Once inside the network, cyber groups’ weapons usually compete for resources, making it more difficult for multiple attackers to operate simultaneously. However, in the attack involving the three ransomware groups, for example, BlackCat—the last ransomware group on the system—not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive.

In another case, a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, were able to leverage the backdoor LockBit had created to steal data and hold it for ransom. 

Root cause analysis

Most of the initial infections for the attacks highlighted in the whitepaper had occurred through either an unpatched vulnerability: some of the most notable being Log4Shell, ProxyLogon, and ProxyShell, or poorly configured, unsecured Remote Desktop Protocol (RDP) servers.

In most of the cases involving multiple attackers, the victims had failed to remediate the initial attack effectively, leaving the door open for future cybercriminal activity. In these instances, the same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for follow-up attacks. In fact, exposed RDP and VPN servers are some of the most popular listings sold on the dark web.

Said Shier. “We don’t have evidence of collaboration, but it’s possible this is due to attackers recognizing that there are a finite number of resources in an increasingly competitive market. Or, perhaps they believe the more pressure placed on a target through multiple attacks—the more likely the victims are to pay. Perhaps they’re having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates.”