Ransomware victims are being targeted by multiple attackers within weeks, days, and even hours, according to a new whitepaper from security vendor Sophos.
Called Multiple Attackers: A Clear and Present Danger and published today during the annual Black Hat conference in Las Vegas, the study details an incident in which the Hive, LockBit, and BlackCat ransomware gangs each targeted the same network. The first two attacks took place within two hours, with the third attack following two weeks later. Each ransomware gang left its own ransom demand, Sophos says, and some of the victim’s files were triple encrypted.
The report describes additional examples of cryptominers, remote access trojans, and bots compromising networks within weeks or days of one another, and in some cases at the same time.
“Victims are being targeted by multiple attackers and within a single compromised environment,” said Sophos CTO Joe Levy in a conversation with ChannelPro. “We find not only one attacker, but sometimes two attackers or even three attackers simultaneously operating and taking advantage of this now weakened and compromised environment.”
Attacks on shared victims are taking place much sooner than the months or years that typically elapsed between them in the past, Levy adds, thanks in part to the automated tools that threat actors can now use to identify exposed environments.
“It’s becoming easier and easier for attackers to find vulnerable victims and then to exploit them,” Levy says. “Every time this happens—the weaponization of the discovery of the vulnerability, and then the exploitation of that vulnerability—the time cycles continue to compress and compress and compress.”
Traditionally, Levy notes, cybercriminals fight one another for exclusive access to compromised environments. “Attackers will attempt to compete within an environment, and they will attempt to remove competing attackers,” Levy says. Ransomware in particular, he continues, is an exception to that longstanding norm.
The new whitepaper published today was produced by Sophos X-Ops, a cross-operational group launched three weeks ago that rolls together the vendor’s SophosLabs, Sophos SecOps, and Sophos AI teams. Combining threat analysis, threat hunting, and incident response experts with artificial intelligence developers in a single organization enables Sophos to both identify attacks and deploy automated protection from them faster and more effectively, the company says.
It also mimics the cybercrime underworld’s mutually reinforcing ecosystem of specialized players, in which initial access brokers (IABs) sell stolen credentials to ransomware gangs via dark web marketplaces operated by yet another set of perpetrators. “We’re seeing the attackers exhibiting these kinds of discrete behaviors in these industrialized supply chains,” Levy says. “We believe that a reasonable kind of countermeasure from the defender industry is something like X-Ops.”
A similar logic, he adds, informs the Adaptive Cybersecurity Ecosystem, an initiative introduced by Sophos last year that seeks to help multiple products from multiple vendors share threat intelligence and coordinate responses to attacks.
“We believe that it’s necessary for cybersecurity products to become more interactive,” Levy says. “We’re well past the days of being able to practice set and then forget security.”