IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Three ransomware attacks hit single company over two weeks

It's the first time an attack of this nature has been seen by the expert researchers

Three of the most prolific ransomware gangs currently in operation targeted the same company over a period of two weeks, according to cyber security researchers.

An unidentified automotive company was the victim of three separate ransomware attacks at the hands of LockBit, Hive, and AlphV - the latter sometimes referred to as BlackCat - almost simultaneously. 

Researchers from Sophos’ cross-operational cyber security task force X-Ops debuted the research at Black Hat 2022 Las Vegas this week after being called to investigate the incident in May 2022.

All three threat actors used the same entry point to initially gain access to the automotive company’s IT environment - abusing a misconfigured firewall rule that exposed remote desktop protocol (RDP) on a management server.

It's the first time the security company has encountered a situation where as many as three ransomware attacks have hit the same company using the same entry point.

During the course of the investigation, Sophos’ Rapid Response team discovered RDP access had been established by an outside actor as far back as December 2021, despite the attacks all taking place in May 2022.

The researchers believed this was the work of an initial access broker (IAB) looking to sell access to the company to other potential attackers.

LockBit was the first group to breach the company. It exfiltrated data to a Mega cloud storage service, used Mimikatz to steal passwords, and then finally installed its eponymous ransomware program.

Hive was the second group to breach the company and installed its own eponymous ransomware strain just two hours after LockBit began its infection.

The company was in the process of restoring their systems from backups, the industry-recommended method of ransomware recovery, when AlphV affiliates remoted into the company via a legitimate remote access tool.

The affiliates established persistence and exfiltrated data to a Mega account over the course of a week, before using stolen credentials to drop the AlphV ransomware payload two weeks after the LockBit and Hive attacks.

“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted.

“Cyber security that includes prevention, detection, and response is critical for organisations of any size and type - no business is immune.”

The AlphV attack further complicated the resulting investigations because cleared Windows event logs. Later research also showed some company files were encrypted as many as five times over the course of the three separate attacks.

A growing trend of co-operation?

The Sophos researchers have noticed numerous cases where ransomware attackers will target the same organisations simultaneously, or within a few days of each other.

Conti is one example where the ransomware group has been involved in dual attacks. One instance was on a Canadian healthcare organisation earlier this year - both Conti and Karma installed ransomware via ProxyShell exploits.

Conti and Hive both targetied Costa Rica this year. The country later declared a state of national emergency due to the level of disruption the first attack caused.

Sophos said dual, or in this case triple attacks, seem to be becoming more common. It’s unusual for cyber criminals to work in an almost cooperative way, it said. 

Cyber criminals operating using cryptominers and remote access trojans (RATs), for example, often compete with each other, booting rivals out of IT environments if they are discovered.

Ransomware actors are consistently showing a different behaviour, the researchers said. 

“Leak sites are public. An opportunistic, lower-tier ransomware actor might reason that, if a victim hasn’t responded to a ransom demand, they might not have addressed the infection vector, either,” said Sophos in a separate report from earlier this month. 

“The threat actor has nothing to lose: Unlike buying an access as a service (AaaS) listing, it won’t cost them anything to target organisations that appear on leak sites. Besides, the first ransomware attack might have failed to encrypt everything; if the second threat actor encrypts further files, it may put additional pressure on the victim to pay up.”

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
US government warns of increased risk of ransomware over holiday season
ransomware

US government warns of increased risk of ransomware over holiday season

24 Nov 2021

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Why collaboration is key to digital transformation
Sponsored

Why collaboration is key to digital transformation

13 Sep 2022