Sophos X-Ops Active Adversary whitepaper, “Multiple Attackers: A Clear and Present Danger,” details finding Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacking the same network. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.
“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cybersecurity that includes prevention, detection and response is critical for organizations of any size and type—no business is immune.”
Key findings:
The key drivers of multiple exploitations are vulnerabilities and misconfigurations going unaddressed after a first attack
Multiple attacks often involve a specific sequence of exploitation, especially after big, widespread vulnerabilities like ProxyLogon/ProxyShell are disclosed – with cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers (IABs), and ransomware
While some threat actors are interdependent (e.g., IABs later enabling ransomware), others, such as cryptominers, try to terminate rival malware, and may even ‘close the door’ by patching vulnerabilities or disabling vulnerable services after gaining access
John Gunn, CEO, Token weighed in on the report:
“Victims of simultaneous attacks will be less likely to pay and may not be able to pay multiple attackers a full ransom. As such, you can expect IABs to charge a premium for first rights or exclusive rights for a target organization.
As odd as it may sound, we could easily see scenarios where the "first-in" attacker assumes the role of defending the victim network from follow-on attacks in order to protect their ability to realize the full ransom payout potential.”
###