Three ransomware attacks hit single company over two weeks
It's the first time an attack of this nature has been seen by the expert researchers


Three of the most prolific ransomware gangs currently in operation targeted the same company over a period of two weeks, according to cyber security researchers.
An unidentified automotive company was the victim of three separate ransomware attacks at the hands of LockBit, Hive, and AlphV - the latter sometimes referred to as BlackCat - almost simultaneously.
Researchers from Sophos’ cross-operational cyber security task force X-Ops debuted the research at Black Hat 2022 Las Vegas this week after being called to investigate the incident in May 2022.
All three threat actors used the same entry point to initially gain access to the automotive company’s IT environment - abusing a misconfigured firewall rule that exposed remote desktop protocol (RDP) on a management server.
It's the first time the security company has encountered a situation where as many as three ransomware attacks have hit the same company using the same entry point.
During the course of the investigation, Sophos’ Rapid Response team discovered RDP access had been established by an outside actor as far back as December 2021, despite the attacks all taking place in May 2022.
The researchers believed this was the work of an initial access broker (IAB) looking to sell access to the company to other potential attackers.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
LockBit was the first group to breach the company. It exfiltrated data to a Mega cloud storage service, used Mimikatz to steal passwords, and then finally installed its eponymous ransomware program.
Hive was the second group to breach the company and installed its own eponymous ransomware strain just two hours after LockBit began its infection.
The company was in the process of restoring their systems from backups, the industry-recommended method of ransomware recovery, when AlphV affiliates remoted into the company via a legitimate remote access tool.
The affiliates established persistence and exfiltrated data to a Mega account over the course of a week, before using stolen credentials to drop the AlphV ransomware payload two weeks after the LockBit and Hive attacks.
“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted.
“Cyber security that includes prevention, detection, and response is critical for organisations of any size and type - no business is immune.”
The AlphV attack further complicated the resulting investigations because cleared Windows event logs. Later research also showed some company files were encrypted as many as five times over the course of the three separate attacks.
A growing trend of co-operation?
The Sophos researchers have noticed numerous cases where ransomware attackers will target the same organisations simultaneously, or within a few days of each other.
Conti is one example where the ransomware group has been involved in dual attacks. One instance was on a Canadian healthcare organisation earlier this year - both Conti and Karma installed ransomware via ProxyShell exploits.
Conti and Hive both targetied Costa Rica this year. The country later declared a state of national emergency due to the level of disruption the first attack caused.
Sophos said dual, or in this case triple attacks, seem to be becoming more common. It’s unusual for cyber criminals to work in an almost cooperative way, it said.
Cyber criminals operating using cryptominers and remote access trojans (RATs), for example, often compete with each other, booting rivals out of IT environments if they are discovered.
Ransomware actors are consistently showing a different behaviour, the researchers said.
“Leak sites are public. An opportunistic, lower-tier ransomware actor might reason that, if a victim hasn’t responded to a ransom demand, they might not have addressed the infection vector, either,” said Sophos in a separate report from earlier this month.
“The threat actor has nothing to lose: Unlike buying an access as a service (AaaS) listing, it won’t cost them anything to target organisations that appear on leak sites. Besides, the first ransomware attack might have failed to encrypt everything; if the second threat actor encrypts further files, it may put additional pressure on the victim to pay up.”

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Developers aren’t quite ready to place their trust in AI
News AI coding tools are delivering benefits for developers, but they’re still worried about security and compliance
-
Are chief AI officers here to stay?
In-depth Mainstay of the boardroom or short-term project leader, CAIOs are the subject of intense consideration
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs