Sophos X-Ops Active Adversary whitepaper, “Multiple Attackers: A Clear and Present Danger,” details finding Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacking the same network. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.

Victims of simultaneous attacks will be less likely to pay and may not be able to pay multiple attackers a full ransom. As such, you can expect IABs to charge a premium for first rights or exclusive rights for a target organization.
As odd as it may sound, we could easily see scenarios where the “first-in” attacker assumes the role of defending the victim network from follow-on attacks in order to protect their ability to realize the full ransom payout potential.
Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cybersecurity that includes prevention, detection and response is critical for organizations of any size and type—no business is immune.
Key findings: