Ransomware victims are being targeted by multiple attackers within weeks, days, and even hours, according to a new whitepaper from security vendor Sophos.
Called Multiple Attackers: A Clear and Present Danger and published today during the annual Black Hat conference in Las Vegas, the study details an incident in which the Hive, LockBit, and BlackCat ransomware gangs each targeted the same network. The first two attacks took place within two hours, with the third attack following two weeks later. Each ransomware gang left its own ransom demand, Sophos says, and some of the victim’s files were triple encrypted.
The report describes additional examples of cryptominers, remote access trojans, and bots compromising networks within weeks or days of one another, and in some cases at the same time.
“Victims are being targeted by multiple attackers and within a single compromised environment,” said Sophos CTO Joe Levy in a conversation with ChannelPro. “We find not only one attacker, but sometimes two attackers or even three attackers simultaneously operating and taking advantage of this now weakened and compromised environment.”
Attacks on shared victims are taking place much sooner than the months or years that typically elapsed between them in the past, Levy adds, thanks in part to the automated tools that threat actors can now use to identify exposed environments.
“It’s becoming easier and easier for attackers to find vulnerable victims and then to exploit them,” Levy says. “Every time this happens—the weaponization of the discovery of the vulnerability, and then the exploitation of that vulnerability—the time cycles continue to compress and compress and compress.”
Traditionally, Levy notes, cybercriminals fight one another for exclusive access to compromised environments. “Attackers will attempt to compete within an environment, and they will attempt to remove competing attackers,” Levy says. Ransomware in particular, he continues, is an exception to that longstanding norm.
The new whitepaper published today was produced by Sophos X-Ops, a cross-operational group launched three weeks ago that rolls together the vendor’s SophosLabs, Sophos SecOps, and Sophos AI teams. Combining threat analysis, threat hunting, and incident response experts with artificial intelligence developers in a single organization enables Sophos to both identify attacks and deploy automated protection from them faster and more effectively, the company says.
It also mimics the cybercrime underworld’s mutually reinforcing ecosystem of specialized players, in which initial access brokers (IABs) sell stolen credentials to ransomware gangs via dark web marketplaces operated by yet another set of perpetrators. “We’re seeing the attackers exhibiting these kinds of discrete behaviors in these industrialized supply chains,” Levy says. “We believe that a reasonable kind of countermeasure from the defender industry is something like X-Ops.”
A similar logic, he adds, informs the Adaptive Cybersecurity Ecosystem, an initiative introduced by Sophos last year that seeks to help multiple products from multiple vendors share threat intelligence and coordinate responses to attacks.
“We believe that it’s necessary for cybersecurity products to become more interactive,” Levy says. “We’re well past the days of being able to practice set and then forget security.”
X-Ops is a key part of how Sophos plans to create the AI-assisted security operations center of the future, in which artificial intelligence and machine learning technology amplify the talents of experienced analysts.
“It’s kind of silly to think, at this point at least, that it’s ever going to be possible to replace humans outright with some kind of an AI, but we’re certainly demonstrably to the point where we can augment humans with an AI,” Levy says. “We can help humans see patterns that generally would be beyond the capacity of a human analyst by allowing these AIs to operate on massive volumes of information, find patterns within that information that would often escape human intuition, and correlate the data in ways that humans might have to perform manually.”
Realizing that vision, Levy continues, is impossible without both a deep pool of threat intelligence from hundreds of millions of endpoints and cross-disciplinary organizations like X-Ops.
“Getting the information by itself is not sufficient because it requires curation,” Levy says. “You have to have a labs operation that allows for global analysis of a threat landscape, you have to have an AI team with an ML operation that can run at scale, and you have to have the security operations team, because you need the people on the front lines who are actually doing the cybersecurity work and who are engaging in hand-to-hand combat with adversaries. All of these are necessary ingredients.”
According to Levy, Sophos is “on the journey” to building a true AI-driven SOC of its own. “We do have dozens of different [AI] models that are in operation today within our products,” he says. “What we intend to do is just continue to iterate on this and make it better and better.”
X-Ops will provide crucial assistance, Levy adds, by helping Sophos test and refine its models. “You need to put them into some sort of a production environment whereby you can introduce what we call an AI/UX feedback circuit,” he explains. “This is basically a feedback loop between the model and the operators of the model, so that you can continuously be going through the process of telling the model whether it’s doing a good job or not when it makes some sort of a prediction.”
The X-Ops whitepaper published today includes advice on avoiding assaults from multiple attackers. In addition to basic best practices like keeping software patched, eliminating configuration errors, and using a VPN or zero-trust network access solution with multifunction authentication when accessing systems remotely, the recommendations include assuming that other attackers have found your vulnerabilities.
“Threat actors don’t operate in isolation,” the report says. “IABs might resell or relist their products, and ransomware affiliates may use multiple strains—so one vulnerability or misconfiguration can lead to multiple threat actors seeking to exploit your network.”
The report also urges victims to move fast on attacks in progress. “Being listed on a leak site may attract other, opportunistic threat actors,” it notes.