Sophos, a global provider of next-generation cybersecurity, announced in the Sophos X-Ops Active Adversary whitepaper, “Multiple Attackers: A Clear and Present Danger”, that three prominent ransomware gangs, Hive, LockBit, and BlackCat, all attacked the same network at the same time. The first two attacks occurred within two hours of each other, and the third attack occurred two weeks later. Each ransomware gang left its own ransom demand, and some of the files were encrypted three times.
“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cybersecurity that includes prevention, detection and response is critical for organizations of any size and type—no business is immune.”
The whitepaper goes on to describe additional examples of overlapping cyberattacks, such as cryptominers, remote access trojans (RATs), and bots. Previously, when multiple attackers targeted the same system, the attacks would typically span months or years. The attacks described in Sophos’ whitepaper occurred within days or weeks of each other—and, in one case, concurrently—often with different attackers accessing a target’s network via the same vulnerable entry point.
Criminal groups typically compete for resources, making it more difficult for multiple attackers to operate concurrently. Cryptominers typically kill their rivals on the same system, and today’s RATs frequently advertise bot killing as a feature on criminal forums. However, in the attack involving the three ransomware groups, BlackCat—the last ransomware group on the system—not only deleted traces of its own activity, but also LockBit and Hive activity. In another case, LockBit ransomware infected a system. Then, about three months later, members of the Karakurt Team, a group with reported ties to Conti, were able to steal data and hold it for ransom using the backdoor LockBit created.
“On the whole, ransomware groups don’t appear openly antagonistic towards one another. In fact, LockBit explicitly doesn’t forbid affiliates from working with competitors, as indicated in Sophos’ whitepaper,” said Shier. “We don’t have evidence of collaboration, but it’s possible this is due to attackers recognizing that there are a finite number of ‘resources’ in an increasingly competitive market. Or, perhaps they believe the more pressure placed on a target—i.e. multiple attacks—the more likely the victims are to pay. Perhaps they’re having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates. At some point, these groups will have to decide how they feel about cooperation—whether to further embrace it or become more competitive—but, for now, the playing field is open for multiple attacks by different groups.”
The majority of the initial infections for the attacks detailed in the whitepaper were caused by either an unpatched vulnerability, with some of the most notable being Log4Shell, ProxyLogon, and ProxyShell, or poorly configured, unsecured Remote Desktop Protocol (RDP) servers. In the majority of cases involving multiple attackers, the victims failed to effectively remediate the initial attack, leaving the door open for future cybercriminal activity. The same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for subsequent attacks in those cases. Exposed RDP and VPN servers, in fact, are among the most popular listings sold on the dark web.
“As noted in the latest Active Adversary Playbook, in 2021 Sophos began seeing organizations falling victim to multiple attacks simultaneously and indicated that this may be a growing trend,” said Shier. “While the rise in multiple attackers is still based on anecdotal evidence, the availability of exploitable systems gives cybercriminals ample opportunity to continue heading in this direction.”
Read the full whitepaper, “Multiple Attackers: A Clear and Present Danger,” on Sophos.com to learn more about multiple cyberattacks, including a closer look at the criminal underground and actionable advice on protecting systems against such attacks.
