advertisement
Three Prominent Ransomware Gangs Attack the Same Network

In its Sophos X-Ops Active Adversary whitepaper, Sophos has reported that three prominent ransomware gangs, consecutively attacked the same network. Ā The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.
āItās bad enough to get one ransomware note, let alone three,ā said John Shier, senior security advisor at Sophos. āMultiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cybersecurity that includes prevention, detection and response is critical for organizations of any size and typeāno business is immune.ā
The whitepaper further outlines additional cases of overlapping cyberattacks, including cryptominers, remote access trojans (RATs) and bots. In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophosā whitepaper took place within days or weeks of each otherāand, in one case, simultaneouslyāoften with the different attackers accessing a target’s network through the same vulnerable entry point.
advertisement
Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and todayās RATs often highlight bot killing as a feature on criminal forums. However, in the attack involving the three ransomware groups, for example, BlackCatāthe last ransomware group on the systemānot only deleted traces of its own activity, but also deleted the activity of LockBit and Hive. In another case, a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, was able to leverage the backdoor LockBit created to steal data and hold it for ransom.
āOn the whole, ransomware groups donāt appear openly antagonistic towards one another. In fact, LockBit explicitly doesnāt forbid affiliates from working with competitors, as indicated in Sophosā whitepaper,ā said Shier. āWe donāt have evidence of collaboration, but itās possible this is due to Ā Ā attackers recognizing that there are a finite number of āresourcesā in an increasingly competitive market. Or, perhaps they believe the more pressure placed on a targetāi.e. multiple attacksāthe more likely the victims are to pay. Perhaps theyāre having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates. At some point, these groups will have to decide how they feel about cooperationāwhether to further embrace it or become more competitiveābut, for now, the playing field is open for multiple attacks by different groups.ā
Most of the initial infections for the attacks highlighted in the whitepaper occurred through either an unpatched vulnerability, with some of the most notable being Log4Shell, ProxyLogon, and ProxyShell, or poorly configured, unsecured Remote Desktop Protocol (RDP) servers. In most of the cases involving multiple attackers, the victims failed to remediate the initial attack effectively, leaving the door open for future cybercriminal activity. In those instances, the same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for follow-up attacks. In fact, exposed RDP and VPN servers are some of the most popular listings sold on the dark web.
advertisement
āAs noted in the latest Active Adversary Playbook, in 2021 Sophos began seeing organizations falling victim to multiple attacks simultaneously and indicated that this may be a growing trend,ā said Shier. āWhile the rise in multiple attackers is still based on anecdotal evidence, the availability of exploitable systems gives cybercriminals ample opportunity to continue heading in this direction.”
To learn more about multiple cyberattacks, including a closer look at the criminal underground and actionable advice on safeguarding systems against such attacks, read the full whitepaper.