Three of the most prolific ransomware gangs currently in operation targeted the same company over a period of two weeks, according to cyber security researchers.
An unidentified automotive company was the victim of three separate ransomware attacks at the hands of LockBit, Hive, and AlphV - the latter sometimes referred to as BlackCat - almost simultaneously.
Researchers from Sophos’ cross-operational cyber security task force X-Ops debuted the research at Black Hat 2022 Las Vegas this week after being called to investigate the incident in May 2022.
All three threat actors used the same entry point to initially gain access to the automotive company’s IT environment - abusing a misconfigured firewall rule that exposed remote desktop protocol (RDP) on a management server.
It's the first time the security company has encountered a situation where as many as three ransomware attacks have hit the same company using the same entry point.
During the course of the investigation, Sophos’ Rapid Response team discovered RDP access had been established by an outside actor as far back as December 2021, despite the attacks all taking place in May 2022.
The researchers believed this was the work of an initial access broker (IAB) looking to sell access to the company to other potential attackers.
LockBit was the first group to breach the company. It exfiltrated data to a Mega cloud storage service, used Mimikatz to steal passwords, and then finally installed its eponymous ransomware program.
Hive was the second group to breach the company and installed its own eponymous ransomware strain just two hours after LockBit began its infection.
The company was in the process of restoring their systems from backups, the industry-recommended method of ransomware recovery, when AlphV affiliates remoted into the company via a legitimate remote access tool.
The affiliates established persistence and exfiltrated data to a Mega account over the course of a week, before using stolen credentials to drop the AlphV ransomware payload two weeks after the LockBit and Hive attacks.
“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted.
“Cyber security that includes prevention, detection, and response is critical for organisations of any size and type - no business is immune.”
The AlphV attack further complicated the resulting investigations because cleared Windows event logs. Later research also showed some company files were encrypted as many as five times over the course of the three separate attacks.
A growing trend of co-operation?
The Sophos researchers have noticed numerous cases where ransomware attackers will target the same organisations simultaneously, or within a few days of each other.
Conti is one example where the ransomware group has been involved in dual attacks. One instance was on a Canadian healthcare organisation earlier this year - both Conti and Karma installed ransomware via ProxyShell exploits.
Conti and Hive both targetied Costa Rica this year. The country later declared a state of national emergency due to the level of disruption the first attack caused.
Sophos said dual, or in this case triple attacks, seem to be becoming more common. It’s unusual for cyber criminals to work in an almost cooperative way, it said.
Cyber criminals operating using cryptominers and remote access trojans (RATs), for example, often compete with each other, booting rivals out of IT environments if they are discovered.
Ransomware actors are consistently showing a different behaviour, the researchers said.
“Leak sites are public. An opportunistic, lower-tier ransomware actor might reason that, if a victim hasn’t responded to a ransom demand, they might not have addressed the infection vector, either,” said Sophos in a separate report from earlier this month.
“The threat actor has nothing to lose: Unlike buying an access as a service (AaaS) listing, it won’t cost them anything to target organisations that appear on leak sites. Besides, the first ransomware attack might have failed to encrypt everything; if the second threat actor encrypts further files, it may put additional pressure on the victim to pay up.”
-
Gender diversity improvements could be the key to tackling the UK's AI skills shortageNews Encouraging more women to pursue tech careers could plug huge gaps in the AI workforce
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
