It’s bad enough to be victimized by one threat actor at a time. But according to researchers at Sophos, some organizations are being struck by multiple attackers.
“Some attacks take place simultaneously; others are separated by a few days, weeks, or months,” Sophos said in a report today. “Some involve different kinds of malware, or double – even triple – infections of the same type.”
In one case study, three prominent ransomware gangs — Hive, LockBit and BlackCat — consecutively attacked the same network in rapid succession – each with its own ransom demand, with some files triple encrypted.
The researchers aren’t certain if multiple attacks are increasing. But Peter Mackenzie, Sophos’ director of incident response, said they are increasingly affecting more organizations. “It’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry.”
The report says
- the key drivers of multiple exploitations are vulnerabilities and misconfigurations going unaddressed after a first attack;
- multiple attacks often involve a specific sequence of exploits, especially after big, widespread vulnerabilities like ProxyLogon/ProxyShell are disclosed – with cryptominers arriving first, followed by wormable botnet builders, RATs, initial access brokers (IABs), and ransomware;
- while some threat actors are interdependent (e.g., initial access brokers later enabling ransomware), others, such as cryptominers, try to terminate rival malware, and may even ‘close the door’ by patching vulnerabilities or disabling vulnerable services after gaining access;
- historically, threat actors have been protective of their infections, to the extent of kicking rivals off compromised systems;
- ransomware actors, despite occasionally tangling with each other, seem less concerned about competition, and sometimes adopt strategies that directly or indirectly benefit other groups;
- certain features of the underground economy may enable multiple attacks – for instance, initial access brokers reselling accesses, and ransomware leak sites providing data that other threat actors can later weaponize.