A growing number of organisations are falling victim to multiple ransomware gangs at the same time, according to new research from security provider Sophos.
While other kinds of cybercriminals tend to be highly competitive, disrupting each other’s operations when given the chance, some ransomware groups appear to be happy to coexist on a victim’s infrastructure, Sophos found, and may even cooperate.
This can multiply the damage suffered by victims, Sophos warned.
In a research report published this week, Sophos identifies “an uptick in the number of cases where organisations have been attacked multiple times”.
“There are a variety of underlying causes, from big vulnerabilities and misconfigurations to threat actors competing for resources and dominance in an increasingly crowded threat environment,” it says.
In many cases, these incidents involve multiple kinds of cybersecurity threats, often following a specific sequence. Once an organisation has been compromised, cryptominers will typically arrive first, Sophos reports, followed by botnets then malware delivery systems, such as webshells or remote access trojans (RATs). These may feed data to initial access brokers (IABs), who lead the way, finally, to ransomware.
Ransomware gangs ‘happy to coexist’
In many cases, the cybercriminals behind these various threats are antagonistic. “Cryptominers, for example, often try to terminate the processes of other cryptominers, because CPU resources are finite, and a concurrent infection generates less revenue,” Sophos explains.
Content from our partners
But ransomware groups seem to be happy to coexist. Sophos has observed organisations being “hit by multiple ransomware attacks, sometimes because the threat actors didn’t know a previous infection had occurred, but more often because they simply didn’t care”.
In one case, ransomware strains from three groups – Hive, LockBit and BlackCat – were discovered on an unnamed victim’s IT systems at the same time.
Ransomware groups may even work together, Sophos found, “so that one group exfiltrates and the other encrypts”.
This is bad news for victims as it may result in multiple attacks in quick succession. “Just when you think that the worst has finally happened – and you now know for certain that it’s ‘when,’ and not ‘if’ – you’re hit with another attack,” Sophos says in its report. “Our findings suggest a typical gap of around six weeks between attacks in cases where the same organisation is attacked multiple times.”
Suffering multiple overlapping attacks also extends recovery time, explained John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted,” he said in a statement.
The best way to defend against overlapping attacks is to implement regular updates and to patch against the worst bugs first, Sophos advises. Widespread vulnerabilities such as ProxyLogon and ProxyShell are often used by ransomware gangs and IABs, as is Log4Shell. CISOs should patch these vulnerabilities immediately to protect their systems.
Finally, patch everything, the report advises. “One of our key findings is that cryptominers, and webshells and backdoors deployed by IABs, often come first when a vulnerability has been disclosed, and the latter typically try to operate stealthily – so you might think you’ve avoided an attack, when in fact there’s already malware on your system.
“Patching early is the best way to avoid being compromised in the future.”
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.
