Targeted Organization Received Three Different Ransomware Notes for Triple Encrypted Files

OXFORD, U.K. — August 9, 2022 —

 Sophos, a global leader in next-generation cybersecurity, today announced in the Sophos X-Ops Active Adversary whitepaper, “Multiple Attackers: A Clear and Present Danger,” that Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.

“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cybersecurity that includes prevention, detection and response is critical for organizations of any size and type—no business is immune.”

The whitepaper further outlines additional cases of overlapping cyberattacks, including cryptominers, remote access trojans (RATs) and bots. In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophos’ whitepaper took place within days or weeks of each other—and, in one case, simultaneously—often with the different attackers accessing a target's network through the same vulnerable entry point.

Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today’s RATs often highlight bot killing as a feature on criminal forums. However, in the attack involving the three ransomware groups, for example, BlackCat—the last ransomware group on the system—not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive. In another case, a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, was able to leverage the backdoor LockBit created to steal data and hold it for ransom.

“On the whole, ransomware groups don’t appear openly antagonistic towards one another. In fact, LockBit explicitly doesn’t forbid affiliates from working with competitors, as indicated in Sophos’ whitepaper,” said Shier. “We don’t have evidence of collaboration, but it’s possible this is due to   attackers recognizing that there are a finite number of ‘resources’ in an increasingly competitive market. Or, perhaps they believe the more pressure placed on a target—i.e. multiple attacks—the more likely the victims are to pay. Perhaps they’re having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates. At some point, these groups will have to decide how they feel about cooperation—whether to further embrace it or become more competitive—but, for now, the playing field is open for multiple attacks by different groups.”

Most of the initial infections for the attacks highlighted in the whitepaper occurred through either an unpatched vulnerability, with some of the most notable being Log4ShellProxyLogon, and ProxyShell, or poorly configured, unsecured Remote Desktop Protocol (RDP) servers. In most of the cases involving multiple attackers, the victims failed to remediate the initial attack effectively, leaving the door open for future cybercriminal activity. In those instances, the same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for follow-up attacks. In fact, exposed RDP and VPN servers are some of the most popular listings sold on the dark web.

“As noted in the latest Active Adversary Playbook, in 2021 Sophos began seeing organizations falling victim to multiple attacks simultaneously and indicated that this may be a growing trend,” said Shier. “While the rise in multiple attackers is still based on anecdotal evidence, the availability of exploitable systems gives cybercriminals ample opportunity to continue heading in this direction."

To learn more about multiple cyberattacks, including a closer look at the criminal underground and actionable advice on safeguarding systems against such attacks, read the full whitepaper, “Multiple Attackers: A Clear and Present Danger,” on Sophos.com.

About Sophos

Sophos is a global leader and innovator of advanced security solutions that defeat cyberattacks, including Managed Detection and Response (MDR) and incident response services and a broad portfolio of endpoint, network, email, and cloud security technologies. As one of the largest pure-play cybersecurity providers, Sophos defends more than 600,000 organizations and more than 100 million users worldwide from active adversaries, ransomware, phishing, malware, and more. Sophos’ services and products connect through the Sophos Central management console and are powered by Sophos X-Ops, the company’s cross-domain threat intelligence unit. Sophos X-Ops intelligence optimizes the entire Sophos Adaptive Cybersecurity Ecosystem, which includes a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers, and other cybersecurity and information technology vendors. Sophos provides cybersecurity-as-a-service to organizations needing fully managed security solutions. Customers can also manage their cybersecurity directly with Sophos’ security operations platform or use a hybrid approach by supplementing their in-house teams with Sophos’ services, including threat hunting and remediation. Sophos sells through reseller partners and managed service providers (MSPs) worldwide. Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.