New Sophos research shows a new trend of three prominent ransomware gangs attacking the same organization at the same time or just days apart.

Hive, LockBit and BlackCat are initiating the attacks. The first two attacks took place within two hours, and the third attack was two weeks later. Each ransomware gang left its own ransom demand — and they triple-encrypted some files.

While crypto miners are always at each other’s throats, the Sophos research shows ransomware attackers aren’t openly hostile to one another. They’re actually benefiting and cooperating with each other in some cases.

When there’s more than one actor in the system, it increases pressure on the victim to pay.

In the attack involving the three ransomware groups, for example, BlackCat, the last ransomware group on the system, not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive. In another case, LockBit ransomware infected a system. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, leveraged the backdoor LockBit created to steal data and hold it for ransom.

No Evidence of Collaboration

John Shier is senior security advisor at Sophos. He said this may be a growing trend.

Sophos’ John Shier

“In the cases we’ve investigated, there wasn’t any evidence of any threat actor collaboration,” he said. “It’s impossible to know if there was any collaboration since that would require evidence that is not captured during a typical incident response investigation. In most cases, we can assume that the adversaries aren’t even aware of each other until the ransomware payload is deployed. Where data theft is involved, it might not even matter, since the impetus for paying a ransom is to prevent the stolen data from being published. In this scenario, multiple attackers can profit from a single victim.”

Most of the initial infections for the attacks highlighted in the Sophos research occurred through either an unpatched vulnerability, with some of the most notable being Log4Shell, ProxyLogon and ProxyShell, or poorly configured, unsecured remote desktop protocol (RDP) servers.

In most of the cases involving multiple attackers, the victims failed to remediate the initial attack effectively. That left the door open for future cybercriminal activity. In those instances, the same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for follow-up attacks. Exposed RDP and VPN servers are some of the most popular listings sold on the dark web.

Multiple Attackers Can Exploit One Security Weakness

There’s no indication that any one type of organization is at greater risk of falling victim to a multiple adversary attack, Shier said. The key takeaway from these investigations is that more than one attacker can exploit a security weakness if left exposed.

An organization’s response plan dictates their ability to recover, he said.

“A well-crafted and tested response plan will ensure both minimal downtime and exposure,” Shier said. “Reliable backups are crucial to any recovery effort, especially when ransomware is involved.”

Organizations can recover from multiple attacks, he said. However, they incur costs associated with such a recovery. And that’s even when they didn’t pay any ransoms.

Thankfully, the steps an organization can take to prevent being the victim of a multiple adversary attack is the same as protecting against a single attack, Shier said.

“Diligent and prioritized patching reduces an organization’s attack surface,” he said. “Additionally, organizations should investigate any affected systems to ensure that no latent infections are present. Ideally, a properly instrumented environment will help you spot the first attacker, and a swift and comprehensive response will prevent the next one.”