Beware of simultaneous cyber attacks, warns Sophos

Share post:

It’s bad enough to be victimized by one threat actor at a time. But according to researchers at Sophos, some organizations are being struck by multiple attackers. “Some attacks take place simultaneously; others are separated by a few days, weeks, or months,” Sophos said in a report today. “Some involve different kinds of malware, or double – even triple – infections of the same type.” In one case study, three prominent ransomware gangs — Hive, LockBit and BlackCat — consecutively attacked the same network in rapid succession – each with its own ransom demand, with some files triple encrypted. The researchers aren’t certain if multiple attacks are increasing. But Peter Mackenzie, Sophos’ director of incident response, said they are increasingly affecting more organizations. “It’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry.” The report says
  • the key drivers of multiple exploitations are vulnerabilities and misconfigurations going unaddressed after a first attack;
  • multiple attacks often involve a specific sequence of exploits, especially after big, widespread vulnerabilities like ProxyLogon/ProxyShell are disclosed – with cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers (IABs), and ransomware;
  • while some threat actors are interdependent (e.g., initial access brokers later enabling ransomware), others, such as cryptominers, try to terminate rival malware, and may even ‘close the door’ by patching vulnerabilities or disabling vulnerable services after gaining access;
  • historically, threat actors have been protective of their infections, to the extent of kicking rivals off compromised systems;
  • ransomware actors, despite occasionally tangling with each other, seem less concerned about competition, and sometimes adopt strategies that directly or indirectly benefit other groups;
  • certain features of the underground economy may enable multiple attacks – for instance, initial access brokers reselling accesses, and ransomware leak sites providing data that other threat actors can later weaponize.
Sophos said in one of the attacks it studied, a ransomware group installed a backdoor which was later abused by a second ransomware group. In another incident, an organization was attacked by three ransomware groups in the space of a few weeks, all using the same misconfigured RDP server to gain access. Once inside, some files were encrypted by all three groups. IT and security teams can lower the risk of being victimized by such attacks through basic cybersecurity hygiene, the report says. That means –update everything; –prioritize worst bugs first; –work to eliminate misconfigurations; –assume other attackers have found your vulnerabilities; –don’t be slow in addressing an attack in progress; –remember ransomware gangs often play nice with each other (as opposed to kicking someone off the network); –noting that attackers open new backdoors; –and remembering that some attackers are worse than others. “Not all ransomware strains are equal,” says the report. “Some have capabilities and features that may complicate attempts to respond to and investigate others – another reason to try to avoid becoming a victim of multiple attacks.” The post Beware of simultaneous cyber attacks, warns Sophos first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways