View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 10, 2022updated 17 Aug 2022 9:27am

Businesses are falling victim to multiple ransomware gangs at once

One victim had three ransomware groups coexisting on its network, Sophos finds.

By Claudia Glover

A growing number of organisations are falling victim to multiple ransomware gangs at the same time, according to new research from security provider Sophos.

While other kinds of cybercriminals tend to be highly competitive, disrupting each other’s operations when given the chance, some ransomware groups appear to be happy to coexist on a victim’s infrastructure, Sophos found, and may even cooperate.

This can multiply the damage suffered by victims, Sophos warned.

Multiple simultaneous attacks “create a whole new level of complexity for recovery,” Sophos warns. (Image by malerapaso / iStock).

In a research report published this week, Sophos identifies “an uptick in the number of cases where organisations have been attacked multiple times”.

“There are a variety of underlying causes, from big vulnerabilities and misconfigurations to threat actors competing for resources and dominance in an increasingly crowded threat environment,” it says.

In many cases, these incidents involve multiple kinds of cybersecurity threats, often following a specific sequence. Once an organisation has been compromised, cryptominers will typically arrive first, Sophos reports, followed by botnets then malware delivery systems, such as webshells or remote access trojans (RATs). These may feed data to initial access brokers (IABs), who lead the way, finally, to ransomware.

Ransomware gangs ‘happy to coexist’

In many cases, the cybercriminals behind these various threats are antagonistic. “Cryptominers, for example, often try to terminate the processes of other cryptominers, because CPU resources are finite, and a concurrent infection generates less revenue,” Sophos explains.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

But ransomware groups seem to be happy to coexist. Sophos has observed organisations being “hit by multiple ransomware attacks, sometimes because the threat actors didn’t know a previous infection had occurred, but more often because they simply didn’t care”.

In one case, ransomware strains from three groups – Hive, LockBit and BlackCat – were discovered on an unnamed victim’s IT systems at the same time.

Ransomware groups may even work together, Sophos found, “so that one group exfiltrates and the other encrypts”.

This is bad news for victims as it may result in multiple attacks in quick succession. “Just when you think that the worst has finally happened – and you now know for certain that it’s ‘when,’ and not ‘if’ – you’re hit with another attack,” Sophos says in its report. “Our findings suggest a typical gap of around six weeks between attacks in cases where the same organisation is attacked multiple times.”

Suffering multiple overlapping attacks also extends recovery time, explained John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted,” he said in a statement.

The best way to defend against overlapping attacks is to implement regular updates and to patch against the worst bugs first, Sophos advises. Widespread vulnerabilities such as ProxyLogon and ProxyShell are often used by ransomware gangs and IABs, as is Log4Shell. CISOs should patch these vulnerabilities immediately to protect their systems.

Finally, patch everything, the report advises. “One of our key findings is that cryptominers, and webshells and backdoors deployed by IABs, often come first when a vulnerability has been disclosed, and the latter typically try to operate stealthily – so you might think you’ve avoided an attack, when in fact there’s already malware on your system.

“Patching early is the best way to avoid being compromised in the future.”

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit

Read more: How to combat the rise in cyberattacks

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.