Three ransomware attacks hit single company over two weeks

Three of the most prolific ransomware gangs currently in operation targeted the same company over a period of two weeks, according to cyber security researchers.

An unidentified automotive company was the victim of three separate ransomware attacks at the hands of LockBit, Hive, and AlphV - the latter sometimes referred to as BlackCat - almost simultaneously.

Researchers from Sophos’ cross-operational cyber security task force X-Ops debuted the research at Black Hat 2022 Las Vegas this week after being called to investigate the incident in May 2022.

All three threat actors used the same entry point to initially gain access to the automotive company’s IT environment - abusing a misconfigured firewall rule that exposed remote desktop protocol (RDP) on a management server.

It's the first time the security company has encountered a situation where as many as three ransomware attacks have hit the same company using the same entry point.

During the course of the investigation, Sophos’ Rapid Response team discovered RDP access had been established by an outside actor as far back as December 2021, despite the attacks all taking place in May 2022.

The researchers believed this was the work of an initial access broker (IAB) looking to sell access to the company to other potential attackers.

LockBit was the first group to breach the company. It exfiltrated data to a Mega cloud storage service, used Mimikatz to steal passwords, and then finally installed its eponymous ransomware program.

Hive was the second group to breach the company and installed its own eponymous ransomware strain just two hours after LockBit began its infection.

The company was in the process of restoring their systems from backups, the industry-recommended method of ransomware recovery, when AlphV affiliates remoted into the company via a legitimate remote access tool.

The affiliates established persistence and exfiltrated data to a Mega account over the course of a week, before using stolen credentials to drop the AlphV ransomware payload two weeks after the LockBit and Hive attacks.

“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted.

“Cyber security that includes prevention, detection, and response is critical for organisations of any size and type - no business is immune.”

The AlphV attack further complicated the resulting investigations because cleared Windows event logs. Later research also showed some company files were encrypted as many as five times over the course of the three separate attacks.

A growing trend of co-operation?

The Sophos researchers have noticed numerous cases where ransomware attackers will target the same organisations simultaneously, or within a few days of each other.

Conti is one example where the ransomware group has been involved in dual attacks. One instance was on a Canadian healthcare organisation earlier this year - both Conti and Karma installed ransomware via ProxyShell exploits.

Conti and Hive both targetied Costa Rica this year. The country later declared a state of national emergency due to the level of disruption the first attack caused.

Sophos said dual, or in this case triple attacks, seem to be becoming more common. It’s unusual for cyber criminals to work in an almost cooperative way, it said.

Cyber criminals operating using cryptominers and remote access trojans (RATs), for example, often compete with each other, booting rivals out of IT environments if they are discovered.

Ransomware actors are consistently showing a different behaviour, the researchers said.

“Leak sites are public. An opportunistic, lower-tier ransomware actor might reason that, if a victim hasn’t responded to a ransom demand, they might not have addressed the infection vector, either,” said Sophos in a separate report from earlier this month.

“The threat actor has nothing to lose: Unlike buying an access as a service (AaaS) listing, it won’t cost them anything to target organisations that appear on leak sites. Besides, the first ransomware attack might have failed to encrypt everything; if the second threat actor encrypts further files, it may put additional pressure on the victim to pay up.”