It’s bad enough to be victimized by one threat actor at a time. But according to researchers at Sophos, some organizations are being struck by multiple attackers.
“Some attacks take place simultaneously; others are separated by a few days, weeks, or months,” Sophos said in a report today. “Some involve different kinds of malware, or double – even triple – infections of the same type.”
In one case study, three prominent ransomware gangs — Hive, LockBit and BlackCat — consecutively attacked the same network in rapid succession – each with its own ransom demand, with some files triple encrypted.
The researchers aren’t certain if multiple attacks are increasing. But Peter Mackenzie, Sophos’ director of incident response, said they are increasingly affecting more organizations. “It’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry.”
The report says
- the key drivers of multiple exploitations are vulnerabilities and misconfigurations going unaddressed after a first attack;
- multiple attacks often involve a specific sequence of exploits, especially after big, widespread vulnerabilities like ProxyLogon/ProxyShell are disclosed – with cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers (IABs), and ransomware;
- while some threat actors are interdependent (e.g., initial access brokers later enabling ransomware), others, such as cryptominers, try to terminate rival malware, and may even ‘close the door’ by patching vulnerabilities or disabling vulnerable services after gaining access;
- historically, threat actors have been protective of their infections, to the extent of kicking rivals off compromised systems;
- ransomware actors, despite occasionally tangling with each other, seem less concerned about competition, and sometimes adopt strategies that directly or indirectly benefit other groups;
- certain features of the underground economy may enable multiple attacks – for instance, initial access brokers reselling accesses, and ransomware leak sites providing data that other threat actors can later weaponize.
Sophos said in one of the attacks it studied, a ransomware group installed a backdoor which was later abused by a second ransomware group. In another incident, an organization was attacked by three ransomware groups in the space of a few weeks, all using the same misconfigured RDP server to gain access. Once inside, some files were encrypted by all three groups.
IT and security teams can lower the risk of being victimized by such attacks through basic cybersecurity hygiene, the report says. That means
–prioritize worst bugs first;
–work to eliminate misconfigurations;
–assume other attackers have found your vulnerabilities;
–don’t be slow in addressing an attack in progress;
–remember ransomware gangs often play nice with each other (as opposed to kicking someone off the network);
–noting that attackers open new backdoors;
–and remembering that some attackers are worse than others. “Not all ransomware strains are equal,” says the report. “Some have capabilities and features that may complicate attempts to respond to and investigate others – another reason to try to avoid becoming a victim of multiple attacks.”