Hive, LockBit and BlackCat Ransomware Gangs Consecutively Attack the Same Network, Sophos Reports

Sophos Press Release

Targeted Organization Received Three Different Ransomware Notes for Triple Encrypted Files

OXFORD, U.K. – Aug. 9, 2022 – Sophos, a global leader in next-generation cybersecurity, today announced in the Sophos X-Ops Active Adversary whitepaper, “Multiple Attackers: A Clear and Present Danger,” that Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.

“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cybersecurity that includes prevention, detection and response is critical for organizations of any size and type—no business is immune.”

The whitepaper further outlines additional cases of overlapping cyberattacks, including cryptominers, remote access trojans (RATs) and bots. In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophos’ whitepaper took place within days or weeks of each other—and, in one case, simultaneously—often with the different attackers accessing a target's network through the same vulnerable entry point.

Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today’s RATs often highlight bot killing as a feature on criminal forums. However, in the attack involving the three ransomware groups, for example, BlackCat—the last ransomware group on the system—not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive. In another case, a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, was able to leverage the backdoor LockBit created to steal data and hold it for ransom.

“On the whole, ransomware groups don’t appear openly antagonistic towards one another. In fact, LockBit explicitly doesn’t forbid affiliates from working with competitors, as indicated in Sophos’ whitepaper,” said Shier. “We don’t have evidence of collaboration, but it’s possible this is due to   attackers recognizing that there are a finite number of ‘resources’ in an increasingly competitive market. Or, perhaps they believe the more pressure placed on a target—i.e. multiple attacks—the more likely the victims are to pay. Perhaps they’re having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates. At some point, these groups will have to decide how they feel about cooperation—whether to further embrace it or become more competitive—but, for now, the playing field is open for multiple attacks by different groups.”

Most of the initial infections for the attacks highlighted in the whitepaper occurred through either an unpatched vulnerability, with some of the most notable being Log4Shell, ProxyLogon, and ProxyShell, or poorly configured, unsecured Remote Desktop Protocol (RDP) servers. In most of the cases involving multiple attackers, the victims failed to remediate the initial attack effectively, leaving the door open for future cybercriminal activity. In those instances, the same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for follow-up attacks. In fact, exposed RDP and VPN servers are some of the most popular listings sold on the dark web.

“As noted in the latest Active Adversary Playbook, in 2021 Sophos began seeing organizations falling victim to multiple attacks simultaneously and indicated that this may be a growing trend,” said Shier. “While the rise in multiple attackers is still based on anecdotal evidence, the availability of exploitable systems gives cybercriminals ample opportunity to continue heading in this direction."

To learn more about multiple cyberattacks, including a closer look at the criminal underground and actionable advice on safeguarding systems against such attacks, read the full whitepaper, “Multiple Attackers: A Clear and Present Danger,” on Sophos.com.

关于 Sophos

Sophos 是全球下一代网络安全领导者,保护 150 多个国家 500,000 多家企业和数以百万的消费者抵御当前最高级的网络威胁。在 SophosLabs 和 SophosAI 的威胁情报、AI 及机器学习的大力支持下,Sophos 提供多种先进产品和服务,保护用户、网络和端点防范勒索软件、恶意软件、漏洞攻击、网络钓鱼以及各种其他网络攻击。Sophos 提供单个集成云管理控制台 Sophos Central,作为自适应网络安全生态体系的核心,具有中央数据湖,为客户、合作伙伴、开发人员和其他网络安全供应商提供丰富的开放 API。Sophos 通过世界给的的经销商合作伙伴和托管服务提供商 (MSP) 销售产品和服务。Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.com