More and more ransomware victims are finding they are being attacked by multiple gangs, with attacks taking place in waves that can be days or weeks apart, and sometimes even occur simultaneously, according to cyber kingpin Sophos.
Presenting its findings at Black Hat USA 2022 in Las Vegas, the Sophos X-Ops team found that multiple ransomware exploitations boil down to two key issues: the target having failed to address significant exploitable vulnerabilities in their systems (Log4Shell, ProxyLogon and ProxyShell being the most widely used); or the target having failed to address malicious tooling or misconfigurations that previous attackers had left behind them.
Furthermore, X-Ops – a recently launched unit within the business that is bringing together its research and threat response teams to create an “AI-assisted” security operations centre (SOC) – said that in many cases, access-as-a-service (AaaS) listings posted to dark web markets by initial access brokers (IABs) are sold on a non-exclusive basis, meaning they are sold to multiple buyers many times over.
“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cyber security that includes prevention, detection and response is critical for organisations of any size and type – no business is immune.”
In its whitepaper Multiple attackers: A clear and present danger, X-Ops shares the story of one recent incident in which three different ransomware crews – Hive, LockBit and BlackCat – consecutively attacked the same victim network, with the first two incidents unfolding in the space of just two hours, while the third attack came a fortnight later. In each case, each gang left its own ransom demand, and some of the victim’s files were encrypted three times over.
This attack dates back to 2 December 2021, when a likely IAB established a remote desktop protocol (RDP) session on the victim’s domain controller in a session lasting 52 minutes. Everything then went quiet until 20 April 2022, when LockBit gained access to the network – possibly, though not necessarily, via the exposed RDP instance – and exfiltrated data from four systems to the Mega cloud storage service. A little over a week later, on 28 April, the LockBit operator began moving laterally and executed Mimikatz to steal passwords.
Then, on 1 May, they created two batch scripts to distribute the ransomware binary using the legitimate PsExec tool. It took 10 minutes to execute the binary on 19 hosts, encrypt the data and drop ransom notes. However, within the space of 120 minutes, a Hive affiliate appeared on the network using the PDQ Deploy tool to distribute their own ransomware binary, which executed within 45 minutes on 16 hosts.
The BlackCat (aka ALPHV) attack took place on 15 May, when an affiliate gained access to the network, moved laterally using stolen credentials, and distributed their ransomware binaries, again using PsExec. These executed on six hosts within 30 minutes, after which BlackCat started to clear the victim’s Windows Event Logs relating not only to their attack, but to those of LockBit and Hive. This significantly complicated subsequent Sophos investigations – which was, of course, BlackCat’s intention.
The X-Ops team said cyber criminal gangs were competing for resources that are ultimately limited to some degree, making it harder for them to operate simultaneously, and in some of the other attacks detailed in the extensive whitepaper, the team described how other types of malware, like cryptominers or remote access trojans (RATs), often make a virtue of being able to kill off competitors if found.
However, said Shier, in the case of ransomware gangs, there appears to be less open antagonism. “In fact,” he said, “LockBit explicitly doesn’t forbid affiliates from working with competitors, as indicated in the Sophos whitepaper.
“We don’t have evidence of collaboration, but it’s possible this is due to attackers recognising that there are a finite number of ‘resources’ in an increasingly competitive market. Or, perhaps they believe the more pressure placed on a target – i.e. multiple attacks – the more likely the victims are to pay. Perhaps they’re having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates.
“At some point, these groups will have to decide how they feel about cooperation – whether to further embrace it or become more competitive – but for now, the playing field is open for multiple attacks by different groups.”
Sophos has previously reported on similar attacks, earlier this year detailing the tale of one US public sector victim which fell victim to a particularly messy attack, also involving LockBit.
In this attack, the initial compromise took place in September 2021 via RDP and saw an attacker gain access to one of the victim’s servers which they then used to research hacking tools that they then attempted to install.
However, in January 2022 someone with access to the network started to act in a way that suggested a separate group had become involved – the activity became altogether more skilled and focused, and ultimately, a partially successful LockBit attack occurred.
This could indicate a number of different scenarios, but based on X-Ops research, it is very likely also an example of access having been sold on to multiple groups.
As with any investigation relying on observations made or incidents responded to by a single cyber company, it is hard to say with any statistical certainty that multiple attacks are a trend, but Sophos incident response director Peter MacKenzie said the signs pointed to an answer in the affirmative. “This is something we’re seeing affecting more and more organisations,” he said.
As ever, attention fully paid to some basic aspects of cyber hygiene will reduce one’s chances of falling victim to any cyber attack – let alone multiple concurrent ones.
Top tips include patching early and often, and ensuring patches are correctly applied; monitoring the cyber community and news agenda to get a heads up on new vulnerabilities; monitoring and responding to alerts, particularly during off-peak hours, at weekends or holidays; locking down accessible services used by VNC, RDP and the like; practicing segmentation and zero trust; enforcing strong passwords and multifactor authentication (MFA); taking inventories of all assets and accounts; using layered protection to block attackers at more than one point, and extending that to all permitted endpoints; and configuring products correctly and checking them frequently.