Beware of simultaneous cyber attacks, warns Sophos

It’s bad enough to be victimized by one threat actor at a time. But according to researchers at Sophos, some organizations are being struck by multiple attackers.

“Some attacks take place simultaneously; others are separated by a few days, weeks, or months,” Sophos said in a report today. “Some involve different kinds of malware, or double – even triple – infections of the same type.”

In one case study, three prominent ransomware gangs — Hive, LockBit and BlackCat — consecutively attacked the same network in rapid succession – each with its own ransom demand, with some files triple encrypted.

The researchers aren’t certain if multiple attacks are increasing. But Peter Mackenzie, Sophos’ director of incident response, said they are increasingly affecting more organizations. “It’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry.”

The report says

  • the key drivers of multiple exploitations are vulnerabilities and misconfigurations going unaddressed after a first attack;
  • multiple attacks often involve a specific sequence of exploits, especially after big, widespread vulnerabilities like ProxyLogon/ProxyShell are disclosed – with cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers (IABs), and ransomware;
  • while some threat actors are interdependent (e.g., initial access brokers later enabling ransomware), others, such as cryptominers, try to terminate rival malware, and may even ‘close the door’ by patching vulnerabilities or disabling vulnerable services after gaining access;
  • historically, threat actors have been protective of their infections, to the extent of kicking rivals off compromised systems;
  • ransomware actors, despite occasionally tangling with each other, seem less concerned about competition, and sometimes adopt strategies that directly or indirectly benefit other groups;
  • certain features of the underground economy may enable multiple attacks – for instance, initial access brokers reselling accesses, and ransomware leak sites providing data that other threat actors can later weaponize.

Sophos said in one of the attacks it studied, a ransomware group installed a backdoor which was later abused by a second ransomware group. In another incident, an organization was attacked by three ransomware groups in the space of a few weeks, all using the same misconfigured RDP server to gain access. Once inside, some files were encrypted by all three groups.

IT and security teams can lower the risk of being victimized by such attacks through basic cybersecurity hygiene, the report says. That means

–update everything;

–prioritize worst bugs first;

–work to eliminate misconfigurations;

–assume other attackers have found your vulnerabilities;

–don’t be slow in addressing an attack in progress;

–remember ransomware gangs often play nice with each other (as opposed to kicking someone off the network);

–noting that attackers open new backdoors;

–and remembering that some attackers are worse than others. “Not all ransomware strains are equal,” says the report. “Some have capabilities and features that may complicate attempts to respond to and investigate others – another reason to try to avoid becoming a victim of multiple attacks.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.