After a series of separate attacks that kicked off in April, one organization found its data encrypted by not one ransomware actor, but three. The Hive, LockBit and ALPHV/BlackCat affiliates clustered onto the vulnerable, unnamed organization’s network, with the first two attacks occurring within two hours and the third happening two weeks later. All three ransomware groups left their own ransom demand and the organization’s files were encrypted two, or in some cases three, times.
Researchers with Sophos say the incident is part of an uptick in organizations being hit by two or more threat actors in recent months. Clusters of attackers are targeting unpatched vulnerabilities or misconfigured systems (such as unsecured internet-exposed RDP servers or applications like AnyDesk or RDWeb) in order to deploy malware, cryptominers, ransomware or otherwise, sometimes at the same time, with the gap between attacks on the same organization averaging six weeks apart.
There are several factors at play behind these multiple attacks. Attackers are getting faster at exploiting big vulnerabilities when they are first disclosed (such as ProxyLogon or ProxyShell) with multiple attacks often following a specific sequence for exploitation that involves cryptominers, botnet builders and RATs, followed by initial access brokers (IABs) that then pave the way for ransomware. At the same time, the ransomware threat landscape has become more sophisticated, and the underground economy has been set up to enable multiple attacks, with IABs in some cases reselling access to victim systems.
“This is something we’re seeing affecting more and more organizations, and it’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry,” said Peter Mackenzie, director of Incident Response with Sophos, in a Tuesday report called "Multiple Attackers: A Clear and Present Danger."
In the case of the triple ransomware attack observed by Sophos, a possible IAB first established an RDP session on the unnamed organization’s domain controller in December - a session that lasted 52 minutes, and that occurred four months before the first ransomware attack. IABs, which in 2021 made up a prominent marketplace for selling access to vulnerable networks, many times do not externally specify exclusivity in their listings. That means that multiple ransomware threat actors could be purchasing access to the same vulnerable networks.
“This is something we’re seeing affecting more and more organizations, and it’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry.”
“Many listings don’t include any mention of exclusivity at all,” according to Sophos. “And while reselling is generally forbidden on forums, it’s entirely possible that many AaaS listings are non-exclusive, and sold to multiple buyers to take advantage of growing demand – resulting in multiple attacks. In fact, on some marketplaces, such as Genesis, exclusivity can even require an additional fee.”
While historically threat actors deploying malware have been competitive - as seen with capabilities by cryptominers and RATs to kick other malware families off infected systems - ransomware actors don’t appear to follow this trend, said researchers. In several cases, ransomware groups have observed targeting an organization already under attack by other threat actors, with some groups even operating together in partnership to exfiltrate and encrypt data.
“[When] it comes to attacks, [ransomware groups] generally seem happy to share targets,” said researchers. “They don’t terminate rival ransomware processes, or kick other malware out, because they’re not competing for CPU resources or botnet sizes – and they’re not constrained by the need for long-term, undetected access. So there isn’t really a need to ‘kill the competition.’”
This method appeared to work out for the trio of LockBit, Hive and BlackCat/ALPHV attackers observed by Sophos. After the LockBit affiliate first gained access to the network, the actors were able to exfiltrate data from four systems to cloud storage service Mega. They then moved laterally and leveraged Mimikatz to extract credentials before executing the ransomware binary on nineteen hosts. Less than two hours later, the Hive ransomware affiliate gained initial access and used the legitimate PDQ Deploy tool to deploy their ransomware binary, encrypting data on sixteen hosts. Finally, weeks later the BlackCat/ALPHV affiliate accessed the vulnerable network, moved laterally using compromised credentials, and dropped two ransomware binaries in order to encrypt data on six hosts.
However, while these double or triple ransomware attacks put pressure on the victim to pay, they may also complicate ransomware group tactics, such as the ability to leak data that has already been encrypted by another attackes. Also, if victims are faced with more than one ransom demand they simply may be unable to pay the ransoms.
“Some attackers may introduce further vulnerabilities after gaining access, or create deliberate or unintentional backdoors (including the installation of legitimate software), which a subsequent threat actor can exploit.”
For victim organizations, multiple threat actors on victim networks complicates not only incident response but also threat intelligence. In the triple ransomware attack observed by Sophos, for instance, the BlackCat/ ALPHV threat actors that swooped in last cleared the Windows Event Logs, deleting clues of their own activities as well as those from the two other ransomware groups that had previously attacked the network.
“This action, along with some pre-investigation remediation actions and peculiarities in the organization’s network configuration, will significantly complicate our incident response efforts,” said Sophos researchers. “The BlackCat threat actor not only clears logs relating to their own activities, but also those of the LockBit and Hive threat actors, making it difficult to determine the methods used for initial access, lateral movement, and other events.”
Organizations can protect themselves by consistently applying top-priority patches and fixing misconfigurations. Additionally, some threat actors may introduce further vulnerabilities or create backdoors after they gain access, which can then be exploited by other threat actors; so it’s important to check for backdoors that attackers may have installed in addition to closing initial infection vectors. For instance, in a January attack observed by Sophos researchers, the initial attacker established a foothold on the environment after exploiting the ProxyShell flaw in order to execute a LockBit ransomware binary. During this process the actor executed an AnyDesk remote desktop application instance, which in June was abused by another threat actor in order to access the network and exfiltrate credentials.
While many of these mitigation measures are commonplace for protecting against even one threat actor, having multiple attackers on a system makes them more urgent, said researchers.
“Some attackers may introduce further vulnerabilities after gaining access, or create deliberate or unintentional backdoors (including the installation of legitimate software), which a subsequent threat actor can exploit,” said researchers. “So while it’s crucial to close off the initial infection vector, it’s also worth considering a) other weaknesses and misconfigurations that could be used to gain access, and b) any new ingress points that may have appeared.”