cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Ransomware gangs Hive, LockBit and BlackCat double-tapping target networks

Sophos researchers have found that Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network.

user iconReporter
Wed, 10 Aug 2022
Ransomware gangs Hive, LockBit and BlackCat double-tapping target networks
expand image

The Sophos X-Ops Active Adversary white paper, titled, Multiple Attackers: A Clear and Present Danger, has found cases of overlapping cyber attacks, which include cryptominers, remote access Trojans (RATs) and bots.

In the past, when multiple cyber attackers have targeted the same system, the attacks usually occurred across many months or multiple years. Sophos researchers have observed that recently, this type of cyber attack has been taking place within days or weeks of each other. In one case, simultaneously, often with the different attackers accessing a target's network through the same vulnerable entry point.

An attack described in Sophos' white paper involved two attacks, which initially took place within two hours with the third attack taking place two weeks later. Each ransomware gang left its own ransom demand and some of the files were triple encrypted.


John Shier, senior security advisor at Sophos, explains businesses should focus on three essential security aspects to bolster protection.

"Cyber security that includes prevention, detection and response is critical for organisations of any size and type – no business is immune.

"Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted.

"It’s bad enough to get one ransomware note, let alone three," Shier said.

Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today's RATs often highlight bot killing as a feature on criminal forums.

According to Sophos researchers, however, an attack involving the three ransomware groups, for example, BlackCat the last ransomware group on the system not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive.

In another case, researchers observed a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, was able to leverage the backdoor LockBit created to steal data and hold it for ransom.

On the whole, according to Shier, ransomware groups don't appear openly antagonistic towards one another.

"In fact, LockBit explicitly doesn't forbid affiliates from working with competitors, as indicated in Sophos' white paper," said Shier.

"We don't have evidence of collaboration, but it's possible this is due to attackers recognising that there are a finite number of 'resources' in an increasingly competitive market.

"Or, perhaps, they believe the more pressure placed on a target i.e. multiple attacks the more likely the victims are to pay," Shier added.

Most of the initial infections for the attacks highlighted in the white paper occurred through either an unpatched vulnerability, with some of the most notable being Log4Shell, ProxyLogon, and ProxyShell, or poorly configured, unsecured remote desktop protocol (RDP) servers.

Referring to data from Sophos' latest Active Adversary Playbook, Shier noted that it was in 2021 when researchers began seeing organisations falling victim to multiple attacks simultaneously, indicating that this may be a growing trend.

"While the rise in multiple attackers is still based on anecdotal evidence, the availability of exploitable systems gives cyber criminals ample opportunity to continue heading in this direction," Shier further explained.

In most of the cases involving multiple attackers, the victims failed to remediate the initial attack effectively, leaving the door open for future cyber criminal activity. In those instances, the same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for follow-up attacks as exposed RDP and VPN servers are some of the most popular listings sold on the dark web.

"Perhaps they’re having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates.

"At some point, these groups will have to decide how they feel about cooperation whether to further embrace it or become more competitive but, for now, the playing field is open for multiple attacks by different groups," Shier concluded.

[Related: Deepfake attacks and cyber extortion, new tools in cyber crime playbook]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.