Three prominent ransomware gangs -Hive, Lockbit and BlackCat- have consecutively attacked a single network belonging to a large unnamed business. The first two attacks occurred within two hours of one another. The third attack occurred two weeks later. After each attack, ransomware thieves left demands and triple encrypted select files.

In this instance, BlackCat, the last ransomware group on the victim’s system, deleted all traces of the attacks. Months later, members of the Karakurt Team, a group with reported connections to the Conti ransomware attackers, managed to leverage a backdoor created by one of the three initial attacker groups to steal data and hold it for ransom.

Collaborative attacks

In the past, when multiple threat groups digitally bombarded the same system, attacks occurred months or years apart. Now, in some cases, attacks are occurring within days or weeks of one another – and in at least one case, simultaneously.

Cyber criminal enterprises typically compete with one another for resources, preventing cooperative behavior. For example, cryptominers ordinarily destroy their competitors on the same system and on criminal forums, today’s Remote Access Trojans (RATs) commonly highlight bot killing as a feature. However, the approach may soon change…

Some experts speculate that ransomware operators may be engaged in high-level discussions, working to create new, mutually beneficial collaborative agreements.

Multiple attacks

In the majority of cases involving multiple attackers, the victim organization failed to remediate an initial attack effectively. An initial attack may have occurred through an unpatched vulnerability. Examples include Log4Shell, ProxyLogon, and ProxyShell or poorly configured and unsecured Remote Desktop Protocol (RDP) servers.

In such instances, the same RDP misconfigurations and applications transformed into an easily exploitable set of pathways for future attacks. Exposed RDP and VPN servers are currently among the most popular ‘for sale’ listings on the dark web.

A growing trend

The fact that many organizations are falling victims to multiple attacks in rapid succession signals that this may become a growing trend. Certain facets of the underground cyber criminal economy may lend themselves to multiple, consecutive attacks. For instance, the reselling of network access and leak sites that provide data for future weaponization purposes.

At this stage, researchers say that only anecdotal evidence suggests that the multi-attack phenomenon is increasing. Nonetheless, organizations may wish to engage in structured efforts to avoid falling victim to successive ransomware attacks.

Key action items

Increase your organization’s resilience by:

  • Updating everything. Webshells, cryptominers and backdoors often make appearances after a vulnerability has been disclosed. Their stealth modalities commonly cajole organizations into perceiving that they have avoided an attack – when in fact an attack is already in-progress on a system.
  • Prioritizing the worst bugs. Determining which bugs to prioritize can prove a daunting challenge, as more than 50 vulnerabilities are disclosed per day, on average. Focus on two elements 1) critical bugs that affect your specific software stack 2) high-profile vulnerabilities that could interrupt the functioning of your technology.
  • Avoiding misconfigurations. We’ve all heard it – misconfigurations and failures to remediate them after a cyber attack represent a leading cause of multiple exploitations. Cryptominer operators, ransomware affiliates and others commonly search for exposed RDP and VPN ports, as they are highly sought after within the criminal underground.
  • Assume attackers have found your vulnerabilities. A single vulnerability might appear innocuous; that is, until one attacker finds it and resells it to a series of attackers.
  • Address in-progress attacks quickly. If hit with an attack, attackers may list your organization’s data on the dark web within hours. Ensure that your team takes immediate action to address the attack and to respond to the incident, closing the initial point of entry to prevent further attacks due to information sold on the dark web.

3X the trouble

Multiple, consecutive ransomware attacks create a new level of complexity when it comes to system recovery, especially when files are triple encrypted. They can also create new levels of expense – ratcheting up remediation bills by thousands, hundreds of thousands or millions of dollars.

Further thoughts

Given the crowded and competitive threat environment, the problem of multiple, consecutive attackers is poised to proliferate. Some hackers may deliberately target a recent victim, while others will do so unintentionally.

To get ahead of this emerging trend, organizations need to update systems, prioritize patching, fix misconfigurations, check for backdoors and should take additional security precautions. Further research is expected to illuminate how organizations can best get ahead of the multi-attack phenomenon.

Looking for more on this story? Visit AP News. For more information about ransomware prevention, see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.