Three Ransomware Gangs Consecutively Attacked The Same Network

Sophos X-Ops Active Adversary whitepaper, “Multiple Attackers: A Clear and Present Danger,” details finding Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacking the same network. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
John Gunn
John Gunn , CEO
InfoSec Expert
August 10, 2022 2:20 pm

Victims of simultaneous attacks will be less likely to pay and may not be able to pay multiple attackers a full ransom. As such, you can expect IABs to charge a premium for first rights or exclusive rights for a target organization.

As odd as it may sound, we could easily see scenarios where the “first-in” attacker assumes the role of defending the victim network from follow-on attacks in order to protect their ability to realize the full ransom payout potential.

Last edited 3 months ago by John Gunn
John.shier
John.shier , Senior Security Advisor
InfoSec Expert
August 10, 2022 2:20 pm

Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cybersecurity that includes prevention, detection and response is critical for organizations of any size and type—no business is immune.
Key findings:

  • The key drivers of multiple exploitations are vulnerabilities and misconfigurations going unaddressed after a first attack
  • Multiple attacks often involve a specific sequence of exploitation, especially after big, widespread vulnerabilities like ProxyLogon/ProxyShell are disclosed – with cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers (IABs), and ransomware
  • While some threat actors are interdependent (e.g., IABs later enabling ransomware), others, such as cryptominers, try to terminate rival malware, and may even ‘close the door’ by patching vulnerabilities or disabling vulnerable services after gaining access
Last edited 3 months ago by john.shier
2
0
Would love your thoughts, please comment.x
()
x