Ransomware gangs consecutively attacking

Three prominent ransomware gangs — Hive, LockBit and BlackCat — have adopted a combined approach that sees consecutive attacks carried out against the same network, according to a new white paper.

The Sophos X-Ops Active Adversary white paper 'Multiple Attackers: A Clear and Present Danger', says the first two attacks took place within two hours, with the third following two weeks later. Each ransomware gang left their own ransom demand and some of the files were triple encrypted.

“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos.

“Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cybersecurity that includes prevention, detection and response is critical for organisations of any size and type — no business is immune.”

The white paper further outlines additional cases of overlapping cyber attacks, including cryptominers, remote access trojans (RATs) and bots.

In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophos’s white paper took place within days or weeks of each other — and, in one case, simultaneously — often with the different attackers accessing a target's network through the same vulnerable entry point.

Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today’s RATs often highlight bot killing as a feature on criminal forums.

However, in the attack involving the three ransomware groups, for example, BlackCat — the last ransomware group on the system — not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive. In another case, a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, were able to leverage the backdoor LockBit created to steal data and hold it for ransom.

“On the whole, ransomware groups don’t appear openly antagonistic towards one another. In fact, LockBit explicitly doesn’t forbid affiliates from working with competitors, as indicated in Sophos’s whitepaper,” Shier said.

“We don’t have evidence of collaboration, but it’s possible this is due to attackers recognising that there are a finite number of ‘resources’ in an increasingly competitive market. Or, perhaps they believe the more pressure placed on a target — ie, multiple attacks — the more likely the victims are to pay. Perhaps they’re having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates.

“At some point, these groups will have to decide how they feel about cooperation — whether to further embrace it or become more competitive — but, for now, the playing field is open for multiple attacks by different groups,” he said.

Most of the initial infections for the attacks highlighted in the white paper occurred through either an unpatched vulnerability, with some of the most notable being Log4Shell, ProxyLogon and ProxyShell, or poorly configured, unsecured Remote Desktop Protocol (RDP) servers. In most of the cases involving multiple attackers, the victims failed to remediate the initial attack effectively, leaving the door open for future cybercriminal activity. In those instances, the same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for follow-up attacks. In fact, exposed RDP and VPN servers are some of the most popular listings sold on the dark web.

“As noted in the latest Active Adversary Playbook, in 2021 Sophos began seeing organisations falling victim to multiple attacks simultaneously and indicated that this may be a growing trend,” Shier said.

“While the rise in multiple attackers is still based on anecdotal evidence, the availability of exploitable systems gives cybercriminals ample opportunity to continue heading in this direction.”

Image credit: ©stock.adobe.com/au/Gorodenkoff